Submeter #749196: COMFAST CF-E4 (EC200A) 2.6.0.1 Command Injectioninformação

TítuloCOMFAST CF-E4 (EC200A) 2.6.0.1 Command Injection
DescriçãoA command injection vulnerability was discovered in the COMFAST CF-E4 (EC200A) WiFi router with firmware version V2.6.0.1. The issue exists within the processing of the ntp_timezone section via the /cgi-bin/mbox-config endpoint. By sending a crafted POST request with a malicious timestr parameter, an authenticated attacker can bypass input validation and execute arbitrary system commands as root. This occurs because the user-supplied input is directly concatenated into a shell command string.
Fonte⚠️ https://github.com/cha0yang1/COMFAST/blob/main/RCE.md
Utilizador
 cha0yang (UID 94272)
Submissão30/01/2026 06h21 (há 3 meses)
Moderação15/02/2026 10h22 (16 days later)
EstadoAceite
Entrada VulDB346125 [Comfast CF-E4 2.6.0.1 HTTP POST Request mbox-config?method=SET§ion=ntp_timezone timestr Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Do you need the next level of professionalism?

Upgrade your account now!