cbcvebase.
CVE-2026-2824
published 2026-02-20

CVE-2026-2824: A flaw has been found in Comfast CF-E7 2.6.0.9. This affects the function sub_441CF4 of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
11.30%
95.4th percentile
A flaw has been found in Comfast CF-E7 2.6.0.9. This affects the function sub_441CF4 of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component webmggnt. Executing a manipulation of the argument destination can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
comfastcf-e7
comfastcf-e7_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_1.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ComFast mbox-config ping_config destination Parameter Command Injection Attempt (CVE-2026-3798, CVE-2026-2824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mbox-config|3f|"; fast_pattern; startswith; content:"method|3d|SET"; content:"section|3d|ping_config"; http.request_body; content:"|22|destination|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_1.md; reference:cve,2026-3798; reference:cve,2026-2824; classtype:attempted-admin; sid:2068152; rev:1; metadata:affected_product ComFast, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_11, cve CVE_2026_3798_CVE_2026_2824, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to /cgi-bin/mbox-config with query parameters method=SET and section=ping_config; command injection payload is injected into the 'destination' JSON body field using shell metacharacters (;, newline, backtick, pipe, $).
  • Attack is unauthenticated and remote; traffic is plaintext HTTP (not TLS), making it detectable at the perimeter or internally without SSL inspection.
  • Shell injection characters to watch for in the destination parameter include semicolon (;/%3B), newline (%0A), backtick (`/%60), pipe (|/%7C), and dollar sign ($/%24) — both raw and URL-encoded forms.
  • ·The Snort/Suricata rule (sid:2068152) covers two CVEs simultaneously (CVE-2026-3798 and CVE-2026-2824); tune alerting context accordingly to avoid conflating the two vulnerabilities.
  • ·The vendor (Comfast) did not respond to disclosure; no patch is available, making detection and network-level blocking the primary mitigation.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.