CVE-2026-4466: Comfast CF-AC100 RCE Vulnerability

CVE-2026-4466 Overview

CVE-2026-4466 is a command injection vulnerability in the Comfast CF-AC100 access controller running firmware version 2.6.0.8. The flaw resides in the /cgi-bin/mbox-config endpoint when invoked with method=SET§ion=ntp_timezone. Attackers can manipulate input to this endpoint to inject operating system commands. Remote exploitation is possible over the network, though exploitation requires high privileges. The exploit has been publicly disclosed. The vendor was contacted prior to disclosure but did not respond. The weakness is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Authenticated remote attackers can inject arbitrary commands through the NTP timezone configuration parameter of the Comfast CF-AC100 web management interface.

Affected Products

• Comfast CF-AC100 firmware version 2.6.0.8
• Web management CGI endpoint /cgi-bin/mbox-config
• ntp_timezone configuration section handler

Discovery Timeline

• 2026-03-20 - CVE-2026-4466 published to NVD
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-4466

Vulnerability Analysis

The vulnerability exists in the request handler for the mbox-config CGI program on the Comfast CF-AC100 device. When the handler processes requests with method=SET and section=ntp_timezone, it passes user-supplied configuration data to a downstream system command without sufficient neutralization of shell metacharacters. An attacker who can reach the management interface and supply valid credentials can append additional commands to the parameter value. The injected commands execute in the context of the web service process on the embedded Linux system underlying the access controller.

The attack vector is network-based with low attack complexity, but the issue requires high privileges, which restricts opportunistic exploitation. According to the CVSS 4.0 vector, the impact to confidentiality, integrity, and availability of the vulnerable component is rated low. There is no scope change to downstream systems. EPSS data indicates a low probability of near-term exploitation.

Root Cause

The root cause is improper neutralization of special elements passed into a downstream command interpreter, classified as [CWE-74]. The ntp_timezone parameter is concatenated into a shell command, allowing characters such as semicolons, backticks, or command substitution sequences to break out of the intended argument context.

Attack Vector

An authenticated attacker sends a crafted HTTP request to /cgi-bin/mbox-config?method=SET§ion=ntp_timezone with a malicious payload in the timezone field. The web server invokes a shell command that includes the attacker-controlled value, resulting in execution of injected commands on the device. Technical details, including a proof-of-concept payload, are documented in the GitHub PoC Repository and the VulDB entry #351756.

Detection Methods for CVE-2026-4466

Indicators of Compromise

• HTTP requests to /cgi-bin/mbox-config with method=SET§ion=ntp_timezone containing shell metacharacters such as ;, |, &, $(), or backticks in the timezone value.
• Unexpected child processes spawned by the web server or CGI handler on the access controller.
• Outbound network connections from the CF-AC100 device to unfamiliar hosts following management interface activity.
• Modifications to NTP, cron, or startup configuration files that do not correspond to administrator actions.

Detection Strategies

• Inspect HTTP access logs on the CF-AC100 for POST or GET requests targeting the mbox-config endpoint with the ntp_timezone section parameter.
• Apply web application firewall rules that flag shell metacharacters in CGI query strings sent to the management interface.
• Correlate authentication events with subsequent configuration changes to detect misuse by accounts with administrative privileges.

Monitoring Recommendations

• Forward device syslog and HTTP access logs to a central log platform for retention and analysis.
• Alert on any process execution chain originating from the CGI handler that invokes /bin/sh, wget, curl, nc, or tftp.
• Monitor for new or modified scheduled tasks and persistence mechanisms on managed network appliances.

How to Mitigate CVE-2026-4466

Immediate Actions Required

• Restrict access to the CF-AC100 management interface to a dedicated administrative VLAN or jump host. Block exposure to untrusted networks and the public internet.
• Rotate administrative credentials on affected devices and enforce strong, unique passwords to reduce the value of stolen high-privilege accounts.
• Audit account inventories on the device and remove unused or default administrator accounts.
• Review HTTP access logs for prior requests to /cgi-bin/mbox-config containing suspicious ntp_timezone values.

Patch Information

No vendor patch is currently available. The vendor did not respond to disclosure attempts according to the VulDB advisory. Operators should track the vendor's support channels for firmware updates and apply them once released.

Workarounds

• Place the CF-AC100 management interface behind a network access control list that permits only specific administrator source addresses.
• Disable remote management on WAN interfaces and require VPN access for administrative tasks.
• Limit the number of accounts with high privileges, since exploitation requires authenticated access at that level.
• Consider replacing affected devices in high-risk deployments where no patch timeline is available from the vendor.

# Example: restrict management interface access with an upstream firewall rule
# Replace 192.0.2.10 with the authorized administrator workstation address
iptables -A FORWARD -p tcp -d <CF-AC100-IP> --dport 80 -s 192.0.2.10 -j ACCEPT
iptables -A FORWARD -p tcp -d <CF-AC100-IP> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <CF-AC100-IP> --dport 443 -s 192.0.2.10 -j ACCEPT
iptables -A FORWARD -p tcp -d <CF-AC100-IP> --dport 443 -j DROP