CVE-2025-9581
Published: 28 August 2025
Summary
CVE-2025-9581 is a medium-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 30.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the web management binary (/usr/bin/webmgnt) via phy_interface enables exploitation of a public-facing web application (T1190), indirect command execution through the vulnerable function (T1202), and Unix shell command execution (T1059.004).
NVD Description
A vulnerability was detected in Comfast CF-N1 2.6.0. This impacts the function multi_pppoe of the file /usr/bin/webmgnt. Performing manipulation of the argument phy_interface results in command injection. The attack may be initiated remotely. The exploit is now public and may…
more
be used.
Deeper analysisAI
CVE-2025-9581 is a command injection vulnerability in Comfast CF-N1 firmware version 2.6.0, affecting the multi_pppoe function within the /usr/bin/webmgnt file. The issue arises from improper handling of the phy_interface argument, allowing injected commands to be executed. Published on 2025-08-28, it is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables command injection, resulting in limited impacts to confidentiality, integrity, and availability, such as unauthorized access to system resources or execution of arbitrary commands within the context of the affected process.
References include VulDB advisories at https://vuldb.com/?ctiid.321694, https://vuldb.com/?id.321694, and https://vuldb.com/?submit.636127, along with public exploit code on GitHub at https://github.com/ZZ2266/.github.io/tree/main/COMFAST/N1V2/multi_pppoe. The exploit is publicly available and may be used, but no specific patch or mitigation details are provided in the referenced sources.
Details
- CWE(s)