Description

A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to /cgi-bin/mbox-config?method=SET&section=multi_pppoe. When the action parameter is set to "one_click_redial", the unsanitized phy_interface is used in a system() call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise.

INFO

Published Date :

2025-09-18T00:00:00.000Z

Last Modified :

2025-09-19T14:08:26.011Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-57293 vulnerability.

Vendors Products
Comfast
  • Cf-xr11
  • Cf-xr11 Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-57293.

URL Resource
https://github.com/ZZ2266/.github.io/blob/main/comfast/multi_pppoe.markdown cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact