Cyber Resilience

CVE-2025-9582

LowPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0092 76.5th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9582 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9582 is a command injection vulnerability in the Comfast CF-N1 firmware version 2.6.0. The flaw resides in the ntp_timezone function within the /usr/bin/webmgnt file, where manipulation of the timestr argument enables arbitrary command execution. It is associated with CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by attackers with low privileges, such as authenticated users, requiring low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through injected commands, potentially enabling further compromise depending on the attacker's access level.

References include proof-of-concept exploits published on GitHub at paths like /ZZ2266/.github.io/tree/main/COMFAST/N1V2/ntp_timezone, along with entries on VulDB (ctiid.321695, id.321695, submit.636128). No vendor patches or specific mitigation guidance are detailed in the available sources.

EU & UK References

Vulnerability details

A flaw has been found in Comfast CF-N1 2.6.0. Affected is the function ntp_timezone of the file /usr/bin/webmgnt. Executing manipulation of the argument timestr can lead to command injection. The attack may be launched remotely. The exploit has been published…

more

and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection in webmgnt ntp_timezone function via timestr parameter enables remote exploitation of public-facing web application (T1190), indirect command execution (T1202), and Unix shell command execution (T1059.004).

CVEs Like This One

CVE-2025-9583Same product: Comfast Cf-N1
CVE-2025-9581Same product: Comfast Cf-N1
CVE-2026-2535Same product: Comfast Cf-N1
CVE-2025-9585Same product: Comfast Cf-N1
CVE-2025-9586Same product: Comfast Cf-N1
CVE-2025-9584Same product: Comfast Cf-N1
CVE-2026-2534Same product: Comfast Cf-N1
CVE-2026-2537Same vendor: Comfast
CVE-2026-2824Same vendor: Comfast
CVE-2026-3798Same vendor: Comfast

Affected Assets

comfast
cf-n1 firmware
2.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of the timestr argument to block special-element injection into ntp_timezone commands.

prevent

Limits privileges of the webmgnt process and authenticated users so any injected commands cannot perform high-impact actions.

prevent

Restricts the device to least functionality, allowing the vulnerable ntp_timezone code path to be disabled or sandboxed when not required.

References