CVE-2026-2537
Command Injection in Comfast CF-E4 HTTP POST Handler
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comfast | cf-e4_firmware | 2.6.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2537 is a command injection vulnerability found in Comfast CF-E4 version 2.6.0.1. It exists in the HTTP POST request handler at the endpoint /cgi-bin/mbox-config?method=SET§ion=ntp_timezone. The vulnerability arises because the timestr argument is improperly handled and directly used in system commands without proper sanitization. This allows an attacker to inject and execute arbitrary commands on the device remotely, given they have the required authentication.
The flaw is classified under CWE-77 (command injection) and corresponds to the MITRE ATT&CK technique T1202. Exploitation requires an enhanced level of authentication, but a proof-of-concept exploit is publicly available, making it easier to exploit.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to execute arbitrary commands on the affected device with root privileges. This compromises the confidentiality, integrity, and availability of the system.
- Remote attackers with authentication can gain full control over the device.
- Attackers can manipulate system functions, potentially disrupting services or stealing sensitive information.
- Since the exploit is publicly available, the risk of exploitation is increased.
No patches or mitigations are currently available, so affected devices should be replaced or isolated to reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for HTTP POST requests to the endpoint /cgi-bin/mbox-config with the parameters method=SET and section=ntp_timezone, especially those containing suspicious or crafted values in the timestr argument.
Since exploitation requires authentication and involves command injection via the timestr parameter, network detection can focus on identifying unusual POST requests to this endpoint or unexpected command execution behavior on the device.
Specific commands to detect exploitation attempts are not provided in the available resources. However, monitoring web server logs for POST requests to /cgi-bin/mbox-config?method=SET§ion=ntp_timezone and inspecting the timestr parameter for suspicious input could help.
What immediate steps should I take to mitigate this vulnerability?
There are no known patches or vendor-provided mitigations available for this vulnerability as the vendor did not respond to the disclosure.
Immediate mitigation steps include considering replacement of the affected product to avoid exposure.
Additionally, restricting network access to the vulnerable endpoint, enforcing strict authentication controls, and monitoring for suspicious activity may help reduce risk until a more permanent solution is implemented.