Allanp0E

**Name of the Vulnerable Software and Affected Versions** Comfast CF-AC100 version 2.6.0.8 **Description** A command injection issue exists in Comfast CF-AC100 version 2.6.0.8. The issue impacts an unknown function within the file `/cgi-bin/mbox-config?method=SET&section=wireless device dissoc`. Successful manipulation of this function allows for remote command execution. The exploit for this issue has been publicly released. The vendor was notified of the issue but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comfast CF-AC100 version 2.6.0.8 **Description** A command injection issue exists in Comfast CF-AC100 version 2.6.0.8. The issue affects an unknown function within the file `/cgi-bin/mbox-config?method=SET&section=update interface png`. Successful exploitation of this issue allows for remote command execution. The exploit for this issue has been publicly disclosed. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comfast CF-AC100 version 2.6.0.8 **Description** A command injection issue exists in Comfast CF-AC100 firmware. The issue is related to the manipulation of the file `/cgi-bin/mbox-config?method=SET&section=ntp timezone`. This allows for remote exploitation. The exploit has been publicly disclosed. The vulnerable function is unknown. The vendor was contacted but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comfast CF-AC100 version 2.6.0.8 **Description** A command injection issue exists in the Request Path Handler component of Comfast CF-AC100 version 2.6.0.8. The issue is located in the `sub 44AC14` function of the `/cgi-bin/mbox-config?method=SET&section=ping config` file. Manipulation of this component can lead to command injection. The attack can be launched remotely. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wavlink WL-NU516U1 version 240425 **Description** A flaw exists in the `ota new upgrade` function of the `/cgi-bin/adm.cgi` file. Manipulation of the `model` argument can lead to command injection. This allows for remote attacks. The exploit has been published. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wavlink WL-NU516U1 version 240425 **Description** A command injection issue exists in the `usb p910` function of the `/cgi-bin/adm.cgi` file. Manipulation of the `Pr mode` argument can lead to remote command execution. The exploit has been publicly disclosed. **Recommendations** Apply updates to address the vulnerability in the `usb p910` function of the `/cgi-bin/adm.cgi` file. As a temporary workaround, restrict access to the `/cgi-bin/adm.cgi` file. Avoid using the `Pr mode` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Comfast CF-E7 version 2.6.0.9 **Description** A command injection issue exists due to manipulation of the `timestr` argument in the `sub 41ACCC` function of the `/cgi-bin/mbox-config?method=SET&section=ntp timezone` file within the webmggnt component. This allows for remote execution of commands. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** Versions prior to 2.6.0.9 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comfast CF-E7 version 2.6.0.9 **Description** A flaw exists in Comfast CF-E7 version 2.6.0.9 that allows for remote command injection. The issue is located within the `webmggnt` component, specifically in the `sub 441CF4` function of the `/cgi-bin/mbox-config?method=SET&section=ping config` file. Manipulation of the `destination` argument can trigger the command injection. An exploit for this issue has been published. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Comfast CF-N1 V2 version 2.6.0.2 **Description** A remote command injection issue exists in Comfast CF-N1 V2 2.6.0.2. The issue is located in the `sub 44AC4C` function within the `/cgi-bin/mbox-config` file. Manipulation of the `bandwidth` argument in the 'ptest bandwidth' section of the file allows for remote code execution. The exploit for this issue has been publicly disclosed. The vendor was notified but did not respond. **Recommendations** For Comfast CF-N1 V2 version 2.6.0.2, as a temporary workaround, consider restricting access to the `/cgi-bin/mbox-config` file to minimize the risk of exploitation. Avoid using the `bandwidth` parameter in the affected API endpoint `/cgi-bin/mbox-config?method=SET&section=ptest bandwidth` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Comfast CF-N1 V2 version 2.6.0.2 **Description** A command injection issue exists in Comfast CF-N1 V2. The issue is located in the `sub 44AB9C` function of the `/cgi-bin/mbox-config` file. Manipulation of the `channel` parameter in the `ptest channel` section of the API endpoint `/cgi-bin/mbox-config?method=SET&section=ptest channel` can lead to command injection. The attack can be initiated remotely. **Recommendations** Versions prior to 2.6.0.2 are not affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-933L versions up to 1.14.11 **Description** A flaw exists in D-Link DCS-933L that allows for command injection. This issue stems from manipulating the `AdminID` argument within an unknown function of the `/setSystemAdmin` file, part of the `alphapd` component. Successful exploitation enables remote attackers to execute commands on the system. The exploit is publicly available. This vulnerability impacts products no longer supported by the maintainer. **Recommendations** Versions prior to 1.14.11 should not be used.

**Name of the Vulnerable Software and Affected Versions** Ziroom ZHOME A0101 version 1.0.1.0 **Description** A security flaw exists in Ziroom ZHOME A0101. The issue is due to command injection resulting from the manipulation of the `macType` argument within the `macAddrClone` function located in the `lucicontrollerapizrMacClone.lua` file. This allows for remote attacks. The exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.