VYPR
High severity8.8NVD Advisory· Published Sep 18, 2025· Updated Jun 17, 2026

CVE-2025-57293

CVE-2025-57293

Description

A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to /cgi-bin/mbox-config?method=SET&section=multi_pppoe. When the action parameter is set to "one_click_redial", the unsanitized phy_interface is used in a system() call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Comfast/CF-XR11cpe-rescue2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: V2.7.2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.