CVE-2025-9584
Published: 28 August 2025
Summary
CVE-2025-9584 is a medium-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote command injection vulnerability in the web management interface (/usr/bin/webmgnt) of the Comfast CF-N1 router enables exploitation of a public-facing application (T1190) and facilitates arbitrary command execution via the network device CLI or web interface injection (T1059.008).
NVD Description
A vulnerability was found in Comfast CF-N1 2.6.0. Affected by this issue is the function update_interface_png of the file /usr/bin/webmgnt. The manipulation of the argument interface/display_name results in command injection. The attack can be executed remotely. The exploit has been…
more
made public and could be used.
Deeper analysisAI
CVE-2025-9584 is a command injection vulnerability affecting Comfast CF-N1 firmware version 2.6.0. The issue resides in the update_interface_png function within the /usr/bin/webmgnt file, where manipulation of the interface/display_name argument enables command injection. Published on 2025-08-28, it is rated with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 and CWE-77.
A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution within the context of the affected component.
Advisories and additional details are documented on VulDB (https://vuldb.com/?ctiid.321697, https://vuldb.com/?id.321697, https://vuldb.com/?submit.636131), while a public exploit is available on GitHub (https://github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/update_interface_png/readme.md).
The exploit has been made public, heightening the potential for real-world abuse.
Details
- CWE(s)