CVE-2026-4466
Received Received - Intake
Command Injection in Comfast CF-AC100 NTP Timezone CGI

Publication date: 2026-03-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Comfast CF-AC100 2.6.0.8. This affects an unknown function of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone. The manipulation leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4466
EUVD
EUVD-2026-13484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
comfast cf-ac100 2.6.0.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4466 is a command injection vulnerability in the COMFAST CF-AC100 router running firmware version 2.6.0.8. It occurs in the web management interface at the endpoint /cgi-bin/mbox-config?method=SET&section=ntp_timezone, specifically in the handling of the "timestr" field in an HTTP POST request.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the "timestr" parameter is not properly validated and is unsafely concatenated using sprintf before being executed via a system call. This allows an authenticated attacker with valid session cookies to inject arbitrary shell commands remotely.'}, {'type': 'paragraph', 'content': 'By sending a crafted POST request with malicious payload in the "timestr" JSON parameter, the attacker can execute arbitrary commands on the device, such as opening a reverse shell to an attacker-controlled server.'}] [1]

Impact Analysis

This vulnerability allows an authenticated remote attacker to execute arbitrary system commands on the affected COMFAST CF-AC100 router. This can lead to full compromise of the device.

  • Unauthorized control over the router, potentially allowing attackers to change configurations or disrupt network operations.
  • Execution of malicious commands such as opening reverse shells, which can be used to gain persistent access or pivot to other devices on the network.
  • Potential interception or manipulation of network traffic passing through the compromised router.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the endpoint /cgi-bin/mbox-config?method=SET&section=ntp_timezone on the COMFAST CF-AC100 router running firmware version 2.6.0.8.'}, {'type': 'paragraph', 'content': 'Specifically, monitoring HTTP POST requests that include the "timestr" parameter in the JSON body is important, as this parameter is vulnerable to command injection if it contains malicious payloads.'}, {'type': 'paragraph', 'content': 'Detection commands could include using network traffic analysis tools like tcpdump or Wireshark to filter for POST requests to the vulnerable endpoint, for example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/mbox-config?method=SET&section=ntp_timezone'"}, {'type': 'paragraph', 'content': 'Additionally, inspecting web server logs for POST requests to this endpoint with suspicious "timestr" values can help identify exploitation attempts.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the web management interface of the COMFAST CF-AC100 router to trusted and authenticated users only.'}, {'type': 'paragraph', 'content': 'Since exploitation requires authentication and valid session cookies, ensuring strong authentication mechanisms and session management can reduce risk.'}, {'type': 'paragraph', 'content': "Avoid exposing the router's management interface to untrusted networks or the internet."}, {'type': 'paragraph', 'content': 'If possible, disable or restrict the vulnerable endpoint /cgi-bin/mbox-config?method=SET&section=ntp_timezone until a patch or firmware update is available.'}, {'type': 'paragraph', 'content': 'Monitor network traffic and logs for suspicious activity targeting this endpoint.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart