Command Injection Vulnerability in COMFAST CF-XR11 by COMFAST
CVE-2024-44466

9.8CRITICAL

Key Information:

Vendor: Comfast
Status: Cf-xr11 Firmware
Vendor: CVE Published:; 11 September 2024

What is CVE-2024-44466?

The COMFAST CF-XR11 model V2.7.2 contains a command injection vulnerability resulting from improper validation in the function sub_424CB4. This flaw allows attackers to construct specially crafted POST requests directed at /usr/bin/webmgnt, enabling them to inject and execute arbitrary commands through the iface parameter. This vulnerability poses significant risk as it may lead to unauthorized access and control over the device, potentially compromising the integrity of the network it operates in. Users are advised to apply available updates and follow security best practices to mitigate potential threats.

References

https://github.com/CurryRaid/iot_vul/tree/main/comfast

EPSS Score

38% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 11, 2024
Vulnerability Reserved
Aug 21, 2024

CVE-2024-44466 Data

JSON

Comfast

What is CVE-2024-44466?

References

EPSS Score

CVSS V3.1

Timeline