CVE-2025-9584
Published: 28 August 2025
Summary
CVE-2025-9584 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9584 is a command injection vulnerability affecting Comfast CF-N1 firmware version 2.6.0. The issue resides in the update_interface_png function within the /usr/bin/webmgnt file, where manipulation of the interface/display_name argument enables command injection. Published on 2025-08-28, it is rated with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 and CWE-77.
A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution within the context of the affected component.
Advisories and additional details are documented on VulDB (https://vuldb.com/?ctiid.321697, https://vuldb.com/?id.321697, https://vuldb.com/?submit.636131), while a public exploit is available on GitHub (https://github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/update_interface_png/readme.md).
The exploit has been made public, heightening the potential for real-world abuse.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28870
Vulnerability details
A vulnerability was found in Comfast CF-N1 2.6.0. Affected by this issue is the function update_interface_png of the file /usr/bin/webmgnt. The manipulation of the argument interface/display_name results in command injection. The attack can be executed remotely. The exploit has been…
more
made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote command injection vulnerability in the web management interface (/usr/bin/webmgnt) of the Comfast CF-N1 router enables exploitation of a public-facing application (T1190) and facilitates arbitrary command execution via the network device CLI or web interface injection (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the interface/display_name argument in update_interface_png to reject command metacharacters before they reach the shell.
Restricts the privileges of the webmgnt process and authenticated users so that any injected commands have only limited effect on the device.
Requires prompt application of firmware patches that eliminate the unsanitized call in update_interface_png once the public exploit is known.