An OS command injection flaw exists in the setDdnsCfg function of the /cgi-bin/cstecgi.cgi script used by the Totolink A8000RU Web Management Interface. By manipulating the arguments sent to this endpoint, an attacker can execute arbitrary operating‑system commands on the device. The vulnerability allows a remote attacker to run code with the privileges of the web server process, potentially compromising the entire router and any connected network. The CVE notes that the exploit is publicly available and that the attack can be launched remotely, indicating a high likelihood of exploitation in real‑world scenarios.

This issue affects the Totolink A8000RU router running firmware version 7.1cu.643_b20200521. The vulnerability is tied to the Web Management Interface component and specifically targets the setDdnsCfg functionality within the cstecgi.cgi CGI script.

The CVSS score of 9.3 demonstrates a critical severity rating. EPSS information is not available, and the vulnerability is not currently listed in the CISA KEV catalog. However, the publicly available exploit together with the remote nature of the attack vector means that any exposed device is at substantial risk. An attacker simply needs to send a crafted HTTP request to /cgi-bin/cstecgi.cgi with a malicious setDdnsCfg payload; authentication or special permissions are not mentioned in the description, suggesting that the attack may be feasible from any network reachable to the router's management interface.