Cyber Resilience

CVE-2025-9583

LowPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0085 75.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9583 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9583 is a command injection vulnerability in the ping_config function of the /usr/bin/webmgnt file within Comfast CF-N1 version 2.6.0. Published on 2025-08-28, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Improper Neutralization of Special Elements used in a Command).

The vulnerability enables remote exploitation by attackers with low privileges, such as authenticated users, over the network with low attack complexity and no user interaction required. Manipulation of the ping_config function allows command injection, resulting in limited impacts to confidentiality, integrity, and availability.

Advisories reference a publicly disclosed exploit in a GitHub repository at https://github.com/ZZ2266/.github.io/tree/main/COMFAST/N1V2/ping_config, along with VulDB entries at https://vuldb.com/?ctiid.321696, https://vuldb.com/?id.321696, and https://vuldb.com/?submit.636130, noting that the exploit may be used. No specific patches or mitigation guidance are detailed in the available information.

EU & UK References

Vulnerability details

A vulnerability has been found in Comfast CF-N1 2.6.0. Affected by this vulnerability is the function ping_config of the file /usr/bin/webmgnt. The manipulation leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to…

more

the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection in webmgnt ping_config enables remote exploitation of public-facing application (T1190), indirect command execution via utilities like ping (T1202), and Unix shell command execution (T1059.004).

CVEs Like This One

CVE-2025-9581Same product: Comfast Cf-N1
CVE-2025-9582Same product: Comfast Cf-N1
CVE-2026-2535Same product: Comfast Cf-N1
CVE-2025-9585Same product: Comfast Cf-N1
CVE-2025-9586Same product: Comfast Cf-N1
CVE-2025-9584Same product: Comfast Cf-N1
CVE-2026-2534Same product: Comfast Cf-N1
CVE-2026-2537Same vendor: Comfast
CVE-2026-2824Same vendor: Comfast
CVE-2026-3798Same vendor: Comfast

Affected Assets

comfast
cf-n1 firmware
2.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of inputs to the ping_config function, blocking the special characters that enable command injection.

prevent

Restricts the privileges under which /usr/bin/webmgnt executes and limits which authenticated users can invoke ping_config, reducing the attack surface and impact.

prevent

Enforces least functionality by disabling or removing the ping_config capability (or the entire webmgnt binary) when not required, eliminating the injectable code path.

References