CVE-2026-15511

Comfast · CF-WR631AX V3

A critical OS command injection vulnerability exists in the Comfast CF-WR631AX V3 router via the FastCGI backend, allowing unauthenticated remote attackers to execute arbitrary system commands.

Executive summary

A critical OS command injection vulnerability in the Comfast CF-WR631AX V3 router allows unauthenticated remote attackers to execute arbitrary system commands, posing a severe risk of full device compromise.

Vulnerability

The flaw exists in the system_wl_upload_pic_file function within the /usr/bin/webmgnt binary. An unauthenticated attacker can supply a malicious filename to trigger OS command injection.

Business impact

Successful exploitation allows an attacker to gain full control over the router, potentially leading to unauthorized network access, data interception, or the device being utilized as a pivot point for lateral movement within the enterprise network. With a CVSS score of 9.8, this vulnerability represents an extreme risk to infrastructure integrity and confidentiality.

Remediation

Immediate Action: As no official patch is currently available, restrict access to the web management interface of the affected routers to trusted administrative IP addresses only.

Proactive Monitoring: Monitor network traffic for unusual outbound connections from the router and review system logs for attempts to call unexpected shell commands.

Compensating Controls: If possible, place the management interface behind a firewall or VPN to ensure it is not reachable by unauthorized external actors.

Exploitation status

Public Exploit Available: Yes — a public proof-of-concept exists on GitHub.

Analyst recommendation

Due to the critical nature of this command injection flaw and the availability of public exploit code, immediate segmentation of the management interface is mandatory. Organizations should prioritize replacing these devices if the vendor fails to release a security update in a timely manner.