Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, low-complexity, unauthenticated injection with no user interaction (AV:N/AC:L/PR:N/UI:N); command execution as the router daemon yields full C/I/A impact with no scope change.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. Affected by this vulnerability is the function system_wl_upload_pic_file of the file /usr/bin/webmgnt of the component FastCGI Backend. This manipulation of the argument filename causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
OS command injection in the Comfast CF-WR631AX V3 WiFi router (firmware through 2.7.0.8) lets remote attackers execute arbitrary operating-system commands by manipulating the filename argument in the system_wl_upload_pic_file routine of the /usr/bin/webmgnt FastCGI backend. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation, and publicly available exploit code exists (E:P). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the CF-WR631AX web-management interface and use of the WiFi-portal image-upload function whose filename argument is handled by system_wl_upload_pic_file in /usr/bin/webmgnt; no authentication, no user interaction, and no special non-default configuration are indicated by the CVSS vector (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuinely high-priority issue for anyone operating this device: the CVSS 4.0 base score is 8.9 with a fully remote, low-complexity, no-privilege, no-interaction vector and high impact to confidentiality, integrity and availability of the router itself (VC/VI/VA:H, subsequent-system impacts N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the router's web-management interface sends a crafted request to the WiFi-portal image-upload endpoint with a filename containing shell metacharacters (e.g., a command appended after a separator). The webmgnt FastCGI backend passes the filename into a shell command, executing the attacker's payload as the daemon user (typically root) and yielding full device takeover. … |
| Remediation | No vendor-released patch identified at time of analysis - the vendor was contacted early but did not respond, and no fixed firmware version is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Comfast CF-WR631AX V3 devices in your environment (firmware ≤2.7.0.8 via web UI or SSH) and isolate affected units from internet connectivity immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43252
GHSA-hpmx-855m-f9m5