CVE-2026-3798
published 2026-03-09CVE-2026-3798: A vulnerability was detected in Comfast CF-AC100 2.6.0.8. This affects the function sub_44AC14 of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of…
PriorityP265high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
13.48%
96.0th percentile
A vulnerability was detected in Comfast CF-AC100 2.6.0.8. This affects the function sub_44AC14 of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component Request Path Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comfast | cf-ac100 | — | — |
| comfast | cf-ac100_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/mbox-config
urlhttps://github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_1.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ComFast mbox-config ping_config destination Parameter Command Injection Attempt (CVE-2026-3798, CVE-2026-2824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mbox-config|3f|"; fast_pattern; startswith; content:"method|3d|SET"; content:"section|3d|ping_config"; http.request_body; content:"|22|destination|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_1.md; reference:cve,2026-3798; reference:cve,2026-2824; classtype:attempted-admin; sid:2068152; rev:1; metadata:affected_product ComFast, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_11, cve CVE_2026_3798_CVE_2026_2824, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST requests to /cgi-bin/mbox-config with query parameters method=SET and section=ping_config; inspect the request body for the 'destination' JSON field containing shell metacharacters (;, newline, backtick, |, $) indicative of command injection.
- →The injection point is the 'destination' parameter within the ping_config section body; both raw and URL-encoded shell metacharacters (e.g., %3B for ;, %0A for newline, %60 for backtick, %7C for |, %24 for $) should be detected.
- →Attack is remote, unauthenticated, and exploits a publicly disclosed PoC; prioritize perimeter and internal network monitoring for traffic destined to Comfast CF-AC100 devices (plaintext HTTP only — tls_state: plaintext).
- →The vulnerable function is sub_44AC14 in the CF-AC100 firmware version 2.6.0.8; version fingerprinting of this device on the network can help scope exposure. ↗
- ·The Snort/Suricata rule (sid:2068152) covers both CVE-2026-3798 and the related CVE-2026-2824; analysts should be aware that a single alert may correspond to either CVE and should correlate with device model/firmware to distinguish.
- ·The vendor (Comfast) did not respond to disclosure; no official patch is confirmed, meaning affected devices (CF-AC100 v2.6.0.8) are likely to remain unpatched in the field. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-686w-7c78-3m4c: A vulnerability was detected in Comfast CF-AC100 2
ghsa_unreviewed·2026-03-09
CVE-2026-3798 [MEDIUM] CWE-74 GHSA-686w-7c78-3m4c: A vulnerability was detected in Comfast CF-AC100 2
A vulnerability was detected in Comfast CF-AC100 2.6.0.8. This affects the function sub_44AC14 of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component Request Path Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Citrix
Citrix Security Bulletin CTX140814
vendor_citrix·CVSS 6.5
CVE-2014-3798 [MEDIUM] Citrix Security Bulletin CTX140814
Citrix Security Bulletin CTX140814
CVE References: CVE-2014-3798, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Suricata
ET WEB_SPECIFIC_APPS ComFast mbox-config ping_config destination Parameter Command Injection Attempt (CVE-2026-3798, CVE-2026-2824)
suricata·2026-03-11·CVSS 5.3
CVE-2026-3798 [MEDIUM] ET WEB_SPECIFIC_APPS ComFast mbox-config ping_config destination Parameter Command Injection Attempt (CVE-2026-3798, CVE-2026-2824)
ET WEB_SPECIFIC_APPS ComFast mbox-config ping_config destination Parameter Command Injection Attempt (CVE-2026-3798, CVE-2026-2824)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ComFast mbox-config ping_config destination Parameter Command Injection Attempt (CVE-2026-3798, CVE-2026-2824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mbox-config|3f|"; fast_pattern; startswith; content:"method|3d|SET"; content:"section|3d|ping_config"; http.request_body; content:"|22|destination|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_1.md; reference:cve,2026-3798; referenc
No public exploits indexed.
No writeups or analysis indexed.
2026-03-09
Published