CVE-2026-2537
Unknown Unknown - Not Provided
Command Injection in Comfast CF-E4 HTTP POST Handler

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Comfast CF-E4 2.6.0.1. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component HTTP POST Request Handler. Such manipulation of the argument timestr leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2537
EUVD
EUVD-2026-6124
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comfast cf-e4_firmware 2.6.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2537 is a command injection vulnerability found in Comfast CF-E4 version 2.6.0.1. It exists in the HTTP POST request handler at the endpoint /cgi-bin/mbox-config?method=SET&section=ntp_timezone. The vulnerability arises because the timestr argument is improperly handled and directly used in system commands without proper sanitization. This allows an attacker to inject and execute arbitrary commands on the device remotely, given they have the required authentication.

The flaw is classified under CWE-77 (command injection) and corresponds to the MITRE ATT&CK technique T1202. Exploitation requires an enhanced level of authentication, but a proof-of-concept exploit is publicly available, making it easier to exploit.

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute arbitrary commands on the affected device with root privileges. This compromises the confidentiality, integrity, and availability of the system.

  • Remote attackers with authentication can gain full control over the device.
  • Attackers can manipulate system functions, potentially disrupting services or stealing sensitive information.
  • Since the exploit is publicly available, the risk of exploitation is increased.

No patches or mitigations are currently available, so affected devices should be replaced or isolated to reduce risk.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves monitoring for HTTP POST requests to the endpoint /cgi-bin/mbox-config with the parameters method=SET and section=ntp_timezone, especially those containing suspicious or crafted values in the timestr argument.

Since exploitation requires authentication and involves command injection via the timestr parameter, network detection can focus on identifying unusual POST requests to this endpoint or unexpected command execution behavior on the device.

Specific commands to detect exploitation attempts are not provided in the available resources. However, monitoring web server logs for POST requests to /cgi-bin/mbox-config?method=SET&section=ntp_timezone and inspecting the timestr parameter for suspicious input could help.

Mitigation Strategies

There are no known patches or vendor-provided mitigations available for this vulnerability as the vendor did not respond to the disclosure.

Immediate mitigation steps include considering replacement of the affected product to avoid exposure.

Additionally, restricting network access to the vulnerable endpoint, enforcing strict authentication controls, and monitoring for suspicious activity may help reduce risk until a more permanent solution is implemented.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart