Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Comfast CF-E7: Remote Command Injection in NTP Timezone Config
CVE-2026-2823
Summary
A security flaw in the Comfast CF-E7's web interface allows an attacker to execute arbitrary commands remotely. This vulnerability is publicly known and can be exploited. It's essential to update the software to a patched version to prevent potential attacks.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| comfast | cf-e7_firmware | 2.6.0.9 | – |
Original title
A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET§ion=ntp_timezone of the component webmggnt. Pe...
Original description
A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET§ion=ntp_timezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
8.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
- https://github.com/jinhao118/cve/blob/main/ComFast%20Router_3.md Exploit Third Party Advisory
- https://vuldb.com/?ctiid.346948 Permissions Required VDB Entry
- https://vuldb.com/?id.346948 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.753871 Third Party Advisory VDB Entry
Published: 20 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026