The flaw resides in the setOpenVpnCertGenerationCfg function of the Totolink A8000RU's cstecgi.cgi, where an attacker can manipulate the servername parameter to inject arbitrary OS commands. Because the service is exposed via the router's web interface, a remote attacker can issue any shell command with the privileges of the device, leading to full compromise of the router's firmware and the network it manages. The injection vulnerability falls under CWE-77 and CWE-78 and results in loss of confidentiality, integrity and availability of the device and connected resources.

Affected devices are Totolink A8000RU routers running firmware version 7.1cu.643_b20200521. No other versions have been confirmed to be impacted, but users should verify whether newer revisions contain the same flaw. The vulnerability is limited to the web management interface and specifically the cstecgi.cgi script handling OpenVPN certificate generation configuration.

The CVSS score of 9.3 reflects a critical impact, and the EPSS score is not reported, though public exploits have been released, indicating that attackers already have functioning attack code. The vulnerability is remotely exploitable via the router's web UI without authentication, so an adversary on the same network or with remote network access can trigger the injection. The absence of any CISA KEV listing does not reduce the threat because the flaw is widely known and actively used.