Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was determined in Comfast CF-AC100 2.6.0.8. Affected is an unknown function of the file /cgi-bin/mbox-config?method=SET§ion=update_interface_png. This manipulation causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Command injection in Comfast CF-AC100 2.6.0.8 allows remote attackers to execute arbitrary commands through the /cgi-bin/mbox-config endpoint with high privileges. The vulnerability requires administrative credentials but carries no authentication complexity, and public exploit code exists with no vendor patch available. Affected devices can be compromised remotely to achieve command execution with limited scope.
Technical ContextAI
The vulnerability is rooted in improper input validation (CWE-74: Improper Neutralization of Special Elements in Output) within the CGI-based web administration interface of the Comfast CF-AC100 router. The affected endpoint /cgi-bin/mbox-config processes the SET method with a section parameter for update_interface_png without adequately sanitizing or escaping shell metacharacters before passing user-supplied data to backend command execution functions. This is a classic command injection flaw common in embedded device firmware where CGI scripts directly invoke system utilities (such as 'ifconfig', 'iwconfig', or image processing tools) with attacker-controlled arguments. The CF-AC100 is a compact WiFi repeater/access point device running proprietary Linux-based firmware, and the affected version 2.6.0.8 does not implement sufficient output encoding or parameterized command execution patterns.
RemediationAI
Immediate patching is not available as the vendor has not responded to disclosure. Users should take the following steps: (1) Restrict network access to the router's web administration interface (port 80/443) to trusted IP addresses only through firewall rules or disable remote management entirely; (2) change default administrative credentials immediately to a strong, unique password; (3) isolate the affected router on a separate VLAN or network segment if possible to limit lateral movement in case of compromise; (4) monitor the Comfast support website and security mailing lists for future firmware updates, though vendor responsiveness appears low; (5) consider replacing the device with a router from vendors with active security support and faster patch cycles. Temporary mitigation via network segmentation and credential hardening reduces but does not eliminate risk. Users should document their equipment and timeline for replacement, as this device should be considered end-of-life from a security perspective given vendor non-responsiveness.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13524