CVE-2025-57293
Published: 18 September 2025
Summary
CVE-2025-57293 is a high-severity Command Injection (CWE-77) vulnerability in Comfast Cf-Xr11 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-57293 is a command injection vulnerability (CWE-77) in the COMFAST CF-XR11 router running firmware version V2.7.2. The flaw exists in the multi_pppoe API, which is processed by the sub_423930 function located in /usr/bin/webmgnt. The phy_interface parameter passed to this API is not sanitized, enabling attackers to inject arbitrary commands through a POST request to the endpoint /cgi-bin/mbox-config?method=SET§ion=multi_pppoe.
Exploitation occurs when the action parameter is set to "one_click_redial," causing the unsanitized phy_interface value to be directly used in a system() call. Remote attackers with network access can trigger this without authentication privileges, though it requires user interaction. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), allowing successful exploits to result in unauthorized access to sensitive files, execution of arbitrary code, or complete device compromise.
Additional details, including potential mitigation guidance, are available in the referenced advisory at https://github.com/ZZ2266/.github.io/blob/main/comfast/multi_pppoe.markdown.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30197
Vulnerability details
A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to /cgi-bin/mbox-config?method=SET§ion=multi_pppoe. When…
more
the action parameter is set to "one_click_redial", the unsanitized phy_interface is used in a system() call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the web management API enables exploitation of a public-facing application (T1190), arbitrary command execution on the network device CLI (T1059.008), and unauthorized access to sensitive files such as device configurations (T1602.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates input validation mechanisms at API entry points to sanitize parameters like phy_interface, directly preventing command injection into the system() call.
SI-2 requires timely identification, reporting, and patching of flaws such as the unsanitized phy_interface handling in the vulnerable firmware version.
SI-9 enforces input restrictions at system boundaries to limit phy_interface to valid values, blocking malicious command payloads in POST requests to the multi_pppoe endpoint.