CVE-2025-9582
Published: 28 August 2025
Summary
CVE-2025-9582 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9582 is a command injection vulnerability in the Comfast CF-N1 firmware version 2.6.0. The flaw resides in the ntp_timezone function within the /usr/bin/webmgnt file, where manipulation of the timestr argument enables arbitrary command execution. It is associated with CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by attackers with low privileges, such as authenticated users, requiring low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through injected commands, potentially enabling further compromise depending on the attacker's access level.
References include proof-of-concept exploits published on GitHub at paths like /ZZ2266/.github.io/tree/main/COMFAST/N1V2/ntp_timezone, along with entries on VulDB (ctiid.321695, id.321695, submit.636128). No vendor patches or specific mitigation guidance are detailed in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26144
Vulnerability details
A flaw has been found in Comfast CF-N1 2.6.0. Affected is the function ntp_timezone of the file /usr/bin/webmgnt. Executing manipulation of the argument timestr can lead to command injection. The attack may be launched remotely. The exploit has been published…
more
and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in webmgnt ntp_timezone function via timestr parameter enables remote exploitation of public-facing web application (T1190), indirect command execution (T1202), and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of the timestr argument to block special-element injection into ntp_timezone commands.
Limits privileges of the webmgnt process and authenticated users so any injected commands cannot perform high-impact actions.
Restricts the device to least functionality, allowing the vulnerable ntp_timezone code path to be disabled or sandboxed when not required.