Description
A flaw has been found in Comfast CF-E7 2.6.0.9. This affects the function sub_441CF4 of the file /cgi-bin/mbox-config?method=SET&section=ping_config of the component webmggnt. Executing a manipulation of the argument destination can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-20
Score: 5.3 Medium
EPSS: 9.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the webmggnt component of Comfast CF-E7 routers allows attackers to manipulate the "/cgi-bin/mbox-config?method=SET&section=ping_config" API. The vulnerable code accepts a "destination" parameter and passes its value directly into a system call, resulting in command injection. Successful exploitation provides an attacker with the ability to execute arbitrary shell commands on the device, enabling full control, data theft, or configuration tampering.

Affected Systems

The vulnerability affects Comfast CF‑E7 routers running firmware 2.6.0.9. No evidence indicates that earlier firmware releases are immune; the exposed CGI script is present only in the reported version. Users should specifically check the firmware version deployed on their devices against the stated value.

Risk and Exploitability

The CVSS base score of 5.3 signifies moderate severity, while the EPSS score of 9% indicates a relatively high probability of exploitation. Attack is performed remotely through the router’s web management interface and requires no local privileges. If an attacker injects commands, they effectively gain administrative control, making this a moderate to high risk for routers exposed to untrusted networks. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 18, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to a firmware release that removes the vulnerability, if available.
  • If a patch is not available, restrict external access to the router’s management interface with firewall rules or by isolating the device on a separate VLAN that is not reachable from the Internet or untrusted internal segments.
  • Disable or restrict the /cgi-bin/mbox-config API endpoint; alternatively, block POST requests to that endpoint that contain a destination parameter from untrusted sources.
  • Monitor the router’s logs for repeated or anomalous POST attempts to the webmggnt interface and investigate any suspicious activity promptly.

Generated by OpenCVE AI on June 18, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:comfast:cf-e7_firmware:*:*:*:*:*:*:*:*

Fri, 20 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Comfast cf-e7 Firmware
CPEs cpe:2.3:h:comfast:cf-e7:-:*:*:*:*:*:*:*
cpe:2.3:o:comfast:cf-e7_firmware:2.6.0.9:*:*:*:*:*:*:*
Vendors & Products Comfast cf-e7 Firmware

Fri, 20 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Comfast
Comfast cf-e7
Vendors & Products Comfast
Comfast cf-e7

Fri, 20 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Comfast CF-E7 2.6.0.9. This affects the function sub_441CF4 of the file /cgi-bin/mbox-config?method=SET&section=ping_config of the component webmggnt. Executing a manipulation of the argument destination can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Comfast CF-E7 webmggnt mbox-config sub_441CF4 command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Comfast Cf-e7 Cf-e7 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:31:02.530Z

Reserved: 2026-02-19T17:22:22.366Z

Link: CVE-2026-2824

cve-icon Vulnrichment

Updated: 2026-02-20T14:44:14.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T06:17:01.387

Modified: 2026-06-17T10:31:50.437

Link: CVE-2026-2824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')