Cyber Resilience

CVE-2025-57293

HighPublic PoCRCE

Published: 18 September 2025

Published
18 September 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0031 54.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57293 is a high-severity Command Injection (CWE-77) vulnerability in Comfast Cf-Xr11 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57293 is a command injection vulnerability (CWE-77) in the COMFAST CF-XR11 router running firmware version V2.7.2. The flaw exists in the multi_pppoe API, which is processed by the sub_423930 function located in /usr/bin/webmgnt. The phy_interface parameter passed to this API is not sanitized, enabling attackers to inject arbitrary commands through a POST request to the endpoint /cgi-bin/mbox-config?method=SET&section=multi_pppoe.

Exploitation occurs when the action parameter is set to "one_click_redial," causing the unsanitized phy_interface value to be directly used in a system() call. Remote attackers with network access can trigger this without authentication privileges, though it requires user interaction. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), allowing successful exploits to result in unauthorized access to sensitive files, execution of arbitrary code, or complete device compromise.

Additional details, including potential mitigation guidance, are available in the referenced advisory at https://github.com/ZZ2266/.github.io/blob/main/comfast/multi_pppoe.markdown.

EU & UK References

Vulnerability details

A command injection vulnerability in COMFAST CF-XR11 (firmware V2.7.2) exists in the multi_pppoe API, processed by the sub_423930 function in /usr/bin/webmgnt. The phy_interface parameter is not sanitized, allowing attackers to inject arbitrary commands via a POST request to /cgi-bin/mbox-config?method=SET&section=multi_pppoe. When…

more

the action parameter is set to "one_click_redial", the unsanitized phy_interface is used in a system() call, enabling execution of malicious commands. This can lead to unauthorized access to sensitive files, execution of arbitrary code, or full device compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
Why these techniques?

The command injection vulnerability in the web management API enables exploitation of a public-facing application (T1190), arbitrary command execution on the network device CLI (T1059.008), and unauthorized access to sensitive files such as device configurations (T1602.002).

CVEs Like This One

CVE-2026-3798Same vendor: Comfast
CVE-2025-9584Same vendor: Comfast
CVE-2026-2823Same vendor: Comfast
CVE-2025-9585Same vendor: Comfast
CVE-2026-2537Same vendor: Comfast
CVE-2026-2534Same vendor: Comfast
CVE-2026-2535Same vendor: Comfast
CVE-2026-2824Same vendor: Comfast
CVE-2025-9583Same vendor: Comfast
CVE-2025-9581Same vendor: Comfast

Affected Assets

comfast
cf-xr11 firmware
2.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates input validation mechanisms at API entry points to sanitize parameters like phy_interface, directly preventing command injection into the system() call.

prevent

SI-2 requires timely identification, reporting, and patching of flaws such as the unsanitized phy_interface handling in the vulnerable firmware version.

prevent

SI-9 enforces input restrictions at system boundaries to limit phy_interface to valid values, blocking malicious command payloads in POST requests to the multi_pppoe endpoint.

References