cbcvebase.
CVE-2026-2823
published 2026-02-20

CVE-2026-2823: A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file…

PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.50%
96.4th percentile
A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET§ion=ntp_timezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
comfastcf-e7
comfastcf-e7_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/mbox-config?method=SET&section=ntp_timezone
path/cgi-bin/mbox-config
urlhttps://github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_2.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ComFast mbox-config ntp_timezone timestr Parameter Command Injection Attempt (CVE-2026-2823, CVE-2026-2537)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mbox-config|3f|"; fast_pattern; startswith; content:"method|3d|SET"; content:"section|3d|ntp_timezone"; http.request_body; content:"|22|timestr|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_2.md; reference:cve,2026-2823; reference:cve,2026-2537; classtype:attempted-admin; sid:2068153; rev:1; metadata:affected_product ComFast, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_11, cve CVE_2026_2823_CVE_2026_2537, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /cgi-bin/mbox-config with URI parameters method=SET and section=ntp_timezone; inspect the request body for the 'timestr' JSON key containing shell metacharacters (;, newline, backtick, |, $) indicative of command injection.
  • The vulnerable function is sub_41ACCC in the webmggnt component; binary-level analysis or firmware inspection of Comfast CF-E7 2.6.0.9 should focus on this symbol.
  • The exploit is publicly available; treat any inbound POST to the affected endpoint from external/perimeter sources as high-confidence exploitation attempts.
  • The Snort/Suricata rule (sid:2068153) targets plaintext (non-TLS) traffic only; deploy at perimeter and internal chokepoints for coverage.
  • ·The Snort/Suricata rule also covers CVE-2026-2537 in the same signature; detections firing on sid:2068153 may relate to either CVE and should be triaged accordingly.
  • ·The vendor did not respond to disclosure; no official patch is confirmed, so network-level detection and blocking remain the primary mitigation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.