Impact
A flaw allows an attacker to inject arbitrary operating‑system commands by manipulating the 'destination' parameter in the /cgi-bin/mbox-config?section=ping_config API endpoint. The injection can be executed remotely, giving the attacker full control over the device’s operating system. The weakness maps to CWE-77 and CWE-78, representing Command Injection and OS Command Injection respectively.
Affected Systems
The vulnerability affects Comfast CF‑WR631AX V3 firmware versions up to 2.7.0.8. Only devices running affected firmware are impacted; newer firmware releases may have the fix.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. The EPSS score of 1% indicates a low but nonzero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, but published exploits exist. The attack can be carried out remotely via the API endpoint, and the description indicates that no authentication is required, though this is inferred from the wording of the data.
OpenCVE Enrichment