CVE-2026-2823
Received Received - Intake
Remote Command Injection in Comfast CF-E7 Web Management Component

Publication date: 2026-02-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-02-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2823
EUVD
EUVD-2026-7620
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comfast cf-e7_firmware 2.6.0.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-2823 is a command injection vulnerability found in the Comfast CF-E7 router version 2.6.0.9. It occurs in the web management component, specifically in the CGI script at /cgi-bin/mbox-config?method=SET&section=ntp_timezone. The vulnerability is triggered by manipulating the 'timestr' argument, which is not properly sanitized, allowing attackers to inject and execute arbitrary system commands on the device."}, {'type': 'paragraph', 'content': 'This flaw can be exploited remotely without authentication, making it accessible to attackers over the network. The vulnerability affects the confidentiality, integrity, and availability of the affected system by allowing unauthorized command execution.'}] [1, 2]


How can this vulnerability impact me? :

This vulnerability allows remote attackers to execute arbitrary commands on the affected Comfast CF-E7 router, potentially compromising the device and the network it manages.

  • Attackers can gain unauthorized control over the router.
  • Confidentiality of network data can be breached.
  • Integrity of the system can be compromised by unauthorized changes.
  • Availability of network services may be disrupted.

Since the exploit is publicly available and requires no authentication, the risk of exploitation is high.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specially crafted HTTP POST requests targeting the path `/cgi-bin/mbox-config?method=SET&section=ntp_timezone` on Comfast CF-E7 routers running version 2.6.0.9.'}, {'type': 'paragraph', 'content': 'Detection commands could include using network traffic analysis tools like tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, for example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/mbox-config?method=SET&section=ntp_timezone'"}, {'type': 'list_item', 'content': 'Using curl or similar tools to test the endpoint manually by sending crafted POST requests with manipulated `timestr` parameters to check for command injection behavior.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring authentication attempts and unusual command execution logs on the device may help identify exploitation attempts.'}] [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable endpoint by implementing network-level controls such as firewall rules to block incoming requests to `/cgi-bin/mbox-config?method=SET&section=ntp_timezone`.

Since no vendor patch or official fix is available and the vendor did not respond, it is recommended to replace the affected Comfast CF-E7 device with a different product that is not vulnerable.

Additionally, monitoring the device for signs of compromise and disabling remote management features if possible can reduce exposure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart