CVE-2026-4466 is a command injection vulnerability identified in the Comfast CF-AC100 wireless access point running firmware version 2.6.0.8. The vulnerability resides in an unknown function within the CGI endpoint /cgi-bin/mbox-config, specifically when handling the 'method=SET' and 'section=ntp_timezone' parameters. By manipulating these parameters, an attacker can inject arbitrary commands that the device executes on the underlying operating system. This flaw allows remote attackers to execute commands without requiring user interaction, but it does require the attacker to have high privileges (PR:H), indicating that some form of authentication or elevated access is necessary before exploitation. The vulnerability does not affect confidentiality, integrity, or availability to a high degree individually but has a combined low impact on these security properties. The vendor was contacted about the issue but did not respond or issue a patch, and no official remediation is currently available. Although no exploits have been observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation by attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects a network attack vector with low attack complexity, no user interaction, and partial impacts on confidentiality, integrity, and availability. The device is typically deployed in small to medium enterprise and home networking environments, making it a target for attackers seeking to gain persistent access or pivot within networks.

The primary impact of CVE-2026-4466 is the potential for remote command execution on affected Comfast CF-AC100 devices, which could allow attackers to take control of the device, manipulate network traffic, or use the device as a foothold for further attacks within an organization’s network. Although exploitation requires high privileges, if attackers gain these credentials through other means (e.g., default or weak passwords, credential theft), they can leverage this vulnerability to escalate their control. This could lead to unauthorized access to sensitive data, disruption of network services, or the deployment of malware. The lack of vendor response and patches increases the risk of prolonged exposure. Organizations relying on these devices may face increased risk of network compromise, data breaches, and operational disruption, especially in environments where these devices are internet-facing or poorly segmented. The medium severity rating reflects the balance between the need for authentication and the potential damage from exploitation.

1. Immediately restrict access to the Comfast CF-AC100 management interface by limiting it to trusted internal networks and disabling remote management where possible. 2. Change default credentials and enforce strong, unique passwords to reduce the risk of unauthorized access. 3. Implement network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data. 4. Monitor network traffic and device logs for unusual activity that could indicate exploitation attempts, such as unexpected commands or configuration changes. 5. If feasible, replace affected devices with alternative hardware from vendors with active security support. 6. Regularly audit and update device firmware; although no patch is currently available, stay alert for vendor updates or community-developed mitigations. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection attempts targeting the vulnerable CGI endpoint. 8. Educate network administrators about this vulnerability and ensure they follow best practices for device hardening and incident response.