Skip to main content

Comfast CF-WR631AX EUVDEUVD-2026-43252

| CVE-2026-15511 HIGH
Command Injection (CWE-77)
2026-07-12 cna@vuldb.com GHSA-hpmx-855m-f9m5
8.9
CVSS 4.0 · Vendor: vuldb
Share

Severity by source

Vendor (vuldb) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Remote, low-complexity, unauthenticated injection with no user interaction (AV:N/AC:L/PR:N/UI:N); command execution as the router daemon yields full C/I/A impact with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 23:35 vuln.today

DescriptionCVE.org

A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. Affected by this vulnerability is the function system_wl_upload_pic_file of the file /usr/bin/webmgnt of the component FastCGI Backend. This manipulation of the argument filename causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

OS command injection in the Comfast CF-WR631AX V3 WiFi router (firmware through 2.7.0.8) lets remote attackers execute arbitrary operating-system commands by manipulating the filename argument in the system_wl_upload_pic_file routine of the /usr/bin/webmgnt FastCGI backend. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation, and publicly available exploit code exists (E:P). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach router web-management interface
Delivery
Send crafted image-upload request
Exploit
Inject shell metacharacters in filename argument
Execution
webmgnt FastCGI executes command
Persist
Run arbitrary commands as daemon/root
Impact
Full device takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the CF-WR631AX web-management interface and use of the WiFi-portal image-upload function whose filename argument is handled by system_wl_upload_pic_file in /usr/bin/webmgnt; no authentication, no user interaction, and no special non-default configuration are indicated by the CVSS vector (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuinely high-priority issue for anyone operating this device: the CVSS 4.0 base score is 8.9 with a fully remote, low-complexity, no-privilege, no-interaction vector and high impact to confidentiality, integrity and availability of the router itself (VC/VI/VA:H, subsequent-system impacts N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the router's web-management interface sends a crafted request to the WiFi-portal image-upload endpoint with a filename containing shell metacharacters (e.g., a command appended after a separator). The webmgnt FastCGI backend passes the filename into a shell command, executing the attacker's payload as the daemon user (typically root) and yielding full device takeover. …
Remediation No vendor-released patch identified at time of analysis - the vendor was contacted early but did not respond, and no fixed firmware version is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Comfast CF-WR631AX V3 devices in your environment (firmware ≤2.7.0.8 via web UI or SSH) and isolate affected units from internet connectivity immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy