Skip to main content

Cf Wr631Ax V3

1 CVEs product

Monthly

CVE-2026-12814 LOW POC Monitor

OS command injection in Comfast CF-WR631AX V3 firmware (versions 2.7.0.0 through 2.7.0.8) allows an authenticated remote attacker to execute arbitrary operating system commands by injecting shell metacharacters into the `destination` parameter of the ping configuration API endpoint at /cgi-bin/mbox-config?section=ping_config. A detailed public exploit analysis report is available on GitHub, materially lowering the exploitation barrier, though no CISA KEV listing confirms active in-the-wild campaigns at time of analysis. The vendor was notified prior to disclosure and did not respond, leaving all known firmware versions without a patch.

Command Injection Cf Wr631Ax V3
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.2%
EPSS 1% CVSS 2.1
LOW POC Monitor

OS command injection in Comfast CF-WR631AX V3 firmware (versions 2.7.0.0 through 2.7.0.8) allows an authenticated remote attacker to execute arbitrary operating system commands by injecting shell metacharacters into the `destination` parameter of the ping configuration API endpoint at /cgi-bin/mbox-config?section=ping_config. A detailed public exploit analysis report is available on GitHub, materially lowering the exploitation barrier, though no CISA KEV listing confirms active in-the-wild campaigns at time of analysis. The vendor was notified prior to disclosure and did not respond, leaving all known firmware versions without a patch.

Command Injection Cf Wr631Ax V3
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy