CVE-2026-2537 - Vulnerability Details

- Comfast CF-E4 HTTP POST Request mbox-config command injection

Description

A vulnerability was identified in Comfast CF-E4 2.6.0.1. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component HTTP POST Request Handler. Such manipulation of the argument timestr leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-16

Score: 5.1 Medium

EPSS: 15.4% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

A command injection flaw exists in the mbox-config CGI script of the Comfast CF‑E4 router firmware. The vulnerability is triggered by supplying a specially crafted timestr argument to the POST request to /cgi-bin/mbox-config?method=SET&section=ntp_timezone. An attacker who can reach the device can inject arbitrary shell commands, which can then be executed with the privileges of the web server process. The flaw affects confidentiality, integrity, and availability of the device and any services running on it.

Affected Systems

The vulnerability affects Comfast CF‑E4 routers running firmware 2.6.0.1. The affected component is the HTTP POST Request Handler that processes mbox‑config requests.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS score of 15% suggests a moderately higher probability of exploitation, especially given the publicly available exploit and remote attack capabilities. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote exploitation over the network, as the exposed CGI endpoint accepts unauthenticated HTTP POST requests.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Comfast

CF-E4

affected

Version	Status	Constraints
`2.6.0.1`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:comfast:cf-e4_firmware:2.6.0.1:*:*:*:*:*:*:*

cpe:2.3:h:comfast:cf-e4:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Comfast

Cf-e4

—

Version	Status	Scheme	Platform
`2.6.0.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the CF‑E4 firmware to a version that removes the vulnerable timestr parameter handling, or apply the vendor’s patch once it becomes available.
Configure a firewall or access control list to block or filter HTTP POST requests to the /cgi-bin/mbox-config endpoint from untrusted networks.
Disable the NTP timezone configuration feature in the router’s settings if the functionality is not required, thereby eliminating the vulnerable CGI entry point.

Generated by OpenCVE AI on June 18, 2026 at 10:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.15386.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/cha0yang1/COMFAST/blob/main/RCE.md
https://vuldb.com/?ctiid.346125
https://vuldb.com/?id.346125
https://vuldb.com/?submit.749196

History

Wed, 25 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Comfast cf-e4 Firmware
CPEs		cpe:2.3:h:comfast:cf-e4:-:::::::* cpe:2.3:o:comfast:cf-e4_firmware:2.6.0.1:::::::*
Vendors & Products		Comfast cf-e4 Firmware

Tue, 17 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Feb 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Comfast Comfast cf-e4
Vendors & Products		Comfast Comfast cf-e4

Mon, 16 Feb 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Comfast CF-E4 2.6.0.1. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component HTTP POST Request Handler. Such manipulation of the argument timestr leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Comfast CF-E4 HTTP POST Request mbox-config command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/cha0yang1/COMFAST/blob/main/RCE.md https://vuldb.com/?ctiid.346125 https://vuldb.com/?id.346125 https://vuldb.com/?submit.749196
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Comfast Cf-e4 Cf-e4 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-16T05:32:05.986Z

Updated: 2026-02-23T10:06:10.768Z

Reserved: 2026-02-15T09:22:17.332Z

Link: CVE-2026-2537

Vulnrichment

Updated: 2026-02-17T17:04:18.663Z

NVD

Status : Analyzed

Published: 2026-02-16T06:16:22.320

Modified: 2026-06-17T10:31:16.137

Link: CVE-2026-2537

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T11:00:04Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object