CVE-2025-57293

Name of the Vulnerable Software and Affected Versions COMFAST CF-XR11 version V2.7.2

Description A command injection issue exists in the multi pppoe API, processed by the sub 423930 function. The phy interface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to /cgi-bin/mbox-config?method=SET&section=multi pppoe. Specifically, when the action parameter is set to "one click redial", the unsanitized phy interface is used in a system() call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise.

Recommendations As a temporary workaround, consider disabling the multi pppoe API until a patch is available. Restrict access to the /cgi-bin/mbox-config endpoint to minimize the risk of exploitation. Avoid using the action parameter with the value "one click redial" until the issue is resolved.