Description
A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: 13.0% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the sub_41ACCC function of Comfast CF‑E7’s webmggnt component, triggered by tampering with the timestr parameter on the /cgi-bin/mbox-config?method=SET&section=ntp_timezone endpoint. Exploitation allows a remote actor to execute arbitrary shell commands with the privileges of the webmggnt process, enabling full control of the router’s software layer.

Affected Systems

Affected equipment is the Comfast CF‑E7 router running firmware version 2.6.0.9. No other firmware revisions are mentioned; devices with the same vulnerable component and unpatched firmware may also be susceptible.

Risk and Exploitability

The CVSS base score of 5.3 denotes medium risk, and the EPSS score of 13% indicates a relatively high probability that the vulnerability will be targeted in the near term. The flaw is not listed in CISA’s KEV catalog, but public exploits are available. Attackers can trigger the injection remotely over the internet by sending a crafted HTTP request to the vulnerable endpoint, provided the router’s web management interface is externally reachable.

Generated by OpenCVE AI on June 18, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router’s firmware to a version that removes the vulnerable sub_41ACCC function; check the vendor’s website or support channels for an official patch or updated firmware.
  • Restrict external access to the router’s web management interface by placing the device behind a firewall or network segment that limits which IP addresses can reach /cgi-bin/mbox-config, or disable the web interface when it is not needed for remote configuration.
  • Enable logging and monitor inbound HTTP traffic to the router for anomalous or suspicious request patterns that may indicate attempts to trigger the injection vector; consider temporarily blocking the /cgi-bin/mbox-config endpoint if it is not required for normal operation.

Generated by OpenCVE AI on June 18, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:comfast:cf-e7_firmware:*:*:*:*:*:*:*:*

Fri, 20 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Comfast cf-e7 Firmware
CPEs cpe:2.3:h:comfast:cf-e7:-:*:*:*:*:*:*:*
cpe:2.3:o:comfast:cf-e7_firmware:2.6.0.9:*:*:*:*:*:*:*
Vendors & Products Comfast cf-e7 Firmware

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Comfast
Comfast cf-e7
Vendors & Products Comfast
Comfast cf-e7

Fri, 20 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Comfast CF-E7 webmggnt mbox-config sub_41ACCC command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Comfast Cf-e7 Cf-e7 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:30:48.632Z

Reserved: 2026-02-19T17:22:19.708Z

Link: CVE-2026-2823

cve-icon Vulnrichment

Updated: 2026-02-20T14:53:10.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T05:17:53.923

Modified: 2026-06-17T10:31:50.297

Link: CVE-2026-2823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:00:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')