CVE-2025-9581
Published: 28 August 2025
Summary
CVE-2025-9581 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
A command injection vulnerability exists in Comfast CF-N1 version 2.6.0. The flaw is located in the multi_pppoe function of the /usr/bin/webmgnt binary and stems from insufficient sanitization of the phy_interface argument, enabling an attacker to inject and execute operating system commands.
An authenticated remote attacker with low privileges can trigger the issue over the network by supplying a malicious parameter value to the web management interface. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the device, consistent with the reported CVSS 4.0 score of 2.1 and the associated CWE-74 and CWE-77 classifications.
Public proof-of-concept code has been published on GitHub, confirming that the exploit is now available. The EPSS score remains flat at 0.0101 with no material rise since disclosure, and the referenced Vuldb entries provide no details on patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26131
Vulnerability details
A vulnerability was detected in Comfast CF-N1 2.6.0. This impacts the function multi_pppoe of the file /usr/bin/webmgnt. Performing manipulation of the argument phy_interface results in command injection. The attack may be initiated remotely. The exploit is now public and may…
more
be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the web management binary (/usr/bin/webmgnt) via phy_interface enables exploitation of a public-facing web application (T1190), indirect command execution through the vulnerable function (T1202), and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the phy_interface argument before it reaches the multi_pppoe function, blocking command injection.
Limits privileges of the webmgnt process so that any injected commands execute with minimal rights, reducing confidentiality/integrity/availability impact.
Restricts network access to the management interface, preventing remote unauthenticated or low-privilege attackers from reaching the vulnerable endpoint.