Skip to main content

Comfast CF-AC100 CVE-2026-4468

| EUVDEUVD-2026-13524 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-20 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
CVSS changed
Apr 22, 2026 - 21:37 NVD
4.7 (MEDIUM) 5.1 (MEDIUM)
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13524
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 04:16 nvd
MEDIUM 4.7

DescriptionCVE.org

A vulnerability was determined in Comfast CF-AC100 2.6.0.8. Affected is an unknown function of the file /cgi-bin/mbox-config?method=SET&section=update_interface_png. This manipulation causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in Comfast CF-AC100 2.6.0.8 allows remote attackers to execute arbitrary commands through the /cgi-bin/mbox-config endpoint with high privileges. The vulnerability requires administrative credentials but carries no authentication complexity, and public exploit code exists with no vendor patch available. Affected devices can be compromised remotely to achieve command execution with limited scope.

Technical ContextAI

The vulnerability is rooted in improper input validation (CWE-74: Improper Neutralization of Special Elements in Output) within the CGI-based web administration interface of the Comfast CF-AC100 router. The affected endpoint /cgi-bin/mbox-config processes the SET method with a section parameter for update_interface_png without adequately sanitizing or escaping shell metacharacters before passing user-supplied data to backend command execution functions. This is a classic command injection flaw common in embedded device firmware where CGI scripts directly invoke system utilities (such as 'ifconfig', 'iwconfig', or image processing tools) with attacker-controlled arguments. The CF-AC100 is a compact WiFi repeater/access point device running proprietary Linux-based firmware, and the affected version 2.6.0.8 does not implement sufficient output encoding or parameterized command execution patterns.

RemediationAI

Immediate patching is not available as the vendor has not responded to disclosure. Users should take the following steps: (1) Restrict network access to the router's web administration interface (port 80/443) to trusted IP addresses only through firewall rules or disable remote management entirely; (2) change default administrative credentials immediately to a strong, unique password; (3) isolate the affected router on a separate VLAN or network segment if possible to limit lateral movement in case of compromise; (4) monitor the Comfast support website and security mailing lists for future firmware updates, though vendor responsiveness appears low; (5) consider replacing the device with a router from vendors with active security support and faster patch cycles. Temporary mitigation via network segmentation and credential hardening reduces but does not eliminate risk. Users should document their equipment and timeline for replacement, as this device should be considered end-of-life from a security perspective given vendor non-responsiveness.

Share

CVE-2026-4468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy