This vulnerability exists in the Totolink A7100RU router firmware 7.4cu.2313_b20191024 within the CGI handler component, specifically the setDiagnosisCfg function in /cgi-bin/cstecgi.cgi. An attacker can manipulate the 'ip' parameter to inject OS commands, leading to remote code execution. The CVSS 4.0 base score is 9.3, indicating critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No vendor advisory or patch information is currently available.

Successful exploitation allows remote attackers to execute arbitrary operating system commands on the affected device, potentially leading to full compromise of the router. This can result in unauthorized control, data interception, or disruption of network services. The vulnerability requires no authentication and can be triggered remotely, increasing the risk of widespread exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling remote access to the affected CGI interface if possible or isolate the device from untrusted networks to reduce exposure.