Skip to main content

Comfast CF-AC100 EUVDEUVD-2026-13484

| CVE-2026-4466 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-20 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
CVSS changed
Apr 22, 2026 - 21:37 NVD
4.7 (MEDIUM) 5.1 (MEDIUM)
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13484
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 02:16 nvd
MEDIUM 4.7

DescriptionCVE.org

A vulnerability has been found in Comfast CF-AC100 2.6.0.8. This affects an unknown function of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone. The manipulation leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in Comfast CF-AC100 2.6.0.8 allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/mbox-config endpoint's ntp_timezone parameter. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure notifications. An attacker with high-level privileges can leverage this to compromise device integrity and confidentiality.

Technical ContextAI

The vulnerability stems from improper input validation in the CGI script /cgi-bin/mbox-config, which processes user-supplied data in the ntp_timezone parameter without adequate sanitization before passing it to shell command execution. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection') vulnerability. The affected product is Comfast CF-AC100, a wireless access point/router device running firmware version 2.6.0.8. The vulnerability allows an attacker to break out of intended command boundaries and inject shell metacharacters or additional commands, leading to arbitrary code execution within the context of the web server process.

RemediationAI

Immediate remediation requires upgrading the Comfast CF-AC100 device to a patched firmware version if available from the vendor; however, given the vendor's non-responsiveness to early disclosure, no official patch may exist. As an interim measure, restrict administrative access to the device by implementing strict network segmentation, limiting access to the web management interface to a dedicated management VLAN or bastion host, and enforcing strong authentication credentials (avoid default passwords). Disable remote management capabilities if not required, and consider isolating the affected device from critical network segments. Monitor device logs for suspicious CGI requests containing shell metacharacters or command injection payloads targeting the /cgi-bin/mbox-config endpoint. Organizations unable to immediately replace the device should implement a compensating control via a reverse proxy or WAF positioned upstream of the device, configured to block requests containing known command injection patterns in the ntp_timezone parameter. For additional context, see the vulnerability references at https://vuldb.com/?submit.772874 and https://nvd.nist.gov/vuln/detail/CVE-2026-4466.

Share

EUVD-2026-13484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy