Description
A vulnerability was found in Comfast CF-AC100 2.6.0.8. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=wireless_device_dissoc. The manipulation results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch
AI Analysis

Impact

A vulnerability was discovered in Comfast CF-AC100 2.6.0.8 that allows an attacker to inject arbitrary operating‑system commands via the /cgi-bin/mbox-config?method=SET&section=wireless_device_dissoc endpoint. The flaw results in command injection (CWE-74 and CWE-77) and can lead to full remote code execution, compromising confidentiality, integrity, and availability of the device.

Affected Systems

The affected product is Comfast CF-AC100 running firmware version 2.6.0.8. No other versions are reported as impacted in the provided data.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating moderate severity. EPSS information is not available, and the exploit is not listed in CISA's KEV catalog. The exploit is publicly available and can be performed remotely, so the attacker only needs network access to the device. Given the public availability of the exploit and the remote nature of the attack, the risk to affected deployments should be considered significant.

Generated by OpenCVE AI on March 20, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s firmware patch for CF‑AC100 2.6.0.8 if one is released.
  • If a patch is not yet available, restrict or block external access to the /cgi-bin/mbox-config endpoint using a firewall or device ACL.
  • Monitor the device and network logs for unexpected command execution or suspicious traffic targeting the /cgi-bin/mbox-config path.

Generated by OpenCVE AI on March 20, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Comfast cf-ac100
Vendors & Products Comfast cf-ac100

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Comfast CF-AC100 2.6.0.8. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=wireless_device_dissoc. The manipulation results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Comfast CF-AC100 mbox-config command injection
First Time appeared Comfast
Comfast cf-ac100 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:comfast:cf-ac100_firmware:*:*:*:*:*:*:*:*
Vendors & Products Comfast
Comfast cf-ac100 Firmware
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Comfast Cf-ac100 Cf-ac100 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-20T19:57:42.110Z

Reserved: 2026-03-19T20:32:18.439Z

Link: CVE-2026-4467

cve-icon Vulnrichment

Updated: 2026-03-20T19:57:38.527Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T03:16:01.427

Modified: 2026-03-20T13:37:50.737

Link: CVE-2026-4467

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:37:47Z

Weaknesses