This vulnerability affects the Totolink A7100RU router firmware 7.4cu.2313_b20191024. It arises from improper input handling in the setSyslogCfg function of the /cgi-bin/cstecgi.cgi CGI handler component. Specifically, the 'enable' parameter can be manipulated to inject OS commands, enabling remote attackers to execute arbitrary commands on the device. The vulnerability has a CVSS 4.0 base score of 9.3, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although an exploit is publicly available, there is no vendor advisory or patch information currently provided.

Successful exploitation allows remote attackers to execute arbitrary operating system commands on the affected device without authentication. This can lead to full compromise of the device, including unauthorized access, data manipulation, or disruption of service. The high CVSS score reflects the critical nature and ease of exploitation of this vulnerability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting network access to the device's management interface to trusted hosts only and monitor for suspicious activity. Avoid exposing the device's CGI interface to untrusted networks. Follow vendor channels closely for updates and apply patches promptly once available.