CVE-2026-2537 is a command injection vulnerability identified in Comfast CF-E4 firmware version 2.6.0.1. The vulnerability resides in the HTTP POST request handler for the /cgi-bin/mbox-config endpoint, specifically when handling the 'timestr' argument within the 'ntp_timezone' section. Improper input validation allows an attacker to inject arbitrary OS commands through this parameter. The attack vector is remote and network-based, requiring the attacker to have high-level privileges (authentication) on the device. The vulnerability does not require user interaction and affects the confidentiality, integrity, and availability of the device by enabling arbitrary command execution. Despite the vendor being notified early, no patch or response has been provided, and public exploit code is available, increasing the likelihood of exploitation. The CVSS v4.0 score is 5.1 (medium), reflecting the need for authentication and limited scope of impact. The device is typically used in networking environments, and exploitation could lead to device compromise, network disruption, or pivoting within internal networks.

The primary impact of CVE-2026-2537 is the potential for attackers with authenticated access to execute arbitrary commands on Comfast CF-E4 devices remotely. This can lead to full device compromise, allowing attackers to alter configurations, disrupt network services, or use the device as a foothold for further attacks within an organization's network. Confidentiality may be breached if sensitive information stored or transmitted by the device is accessed or exfiltrated. Integrity is at risk as attackers can modify device settings or firmware. Availability could be impacted if the device is rendered inoperable or used in denial-of-service attacks. The requirement for authentication limits exposure to external unauthenticated attackers but does not eliminate risk, especially in environments with weak or default credentials. The lack of vendor response and patch availability increases the window of vulnerability, making timely mitigation critical for organizations relying on these devices.

Organizations should immediately audit Comfast CF-E4 devices to identify those running version 2.6.0.1 and restrict administrative access to trusted personnel and networks only. Change all default or weak credentials to strong, unique passwords to reduce the risk of unauthorized authentication. Implement network segmentation to isolate management interfaces from general user networks and the internet. Monitor device logs and network traffic for unusual activity indicative of exploitation attempts. If possible, disable or restrict access to the vulnerable /cgi-bin/mbox-config endpoint or the affected functionality until a vendor patch is released. Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability or related exploit attempts. Maintain an inventory of affected devices and stay alert for vendor updates or community-developed patches. Consider replacing or upgrading devices if no vendor support is forthcoming.