Cyber Resilience

CVE-2025-9584

LowPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0085 75.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9584 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9584 is a command injection vulnerability affecting Comfast CF-N1 firmware version 2.6.0. The issue resides in the update_interface_png function within the /usr/bin/webmgnt file, where manipulation of the interface/display_name argument enables command injection. Published on 2025-08-28, it is rated with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 and CWE-77.

A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution within the context of the affected component.

Advisories and additional details are documented on VulDB (https://vuldb.com/?ctiid.321697, https://vuldb.com/?id.321697, https://vuldb.com/?submit.636131), while a public exploit is available on GitHub (https://github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/update_interface_png/readme.md).

The exploit has been made public, heightening the potential for real-world abuse.

EU & UK References

Vulnerability details

A vulnerability was found in Comfast CF-N1 2.6.0. Affected by this issue is the function update_interface_png of the file /usr/bin/webmgnt. The manipulation of the argument interface/display_name results in command injection. The attack can be executed remotely. The exploit has been…

more

made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

The remote command injection vulnerability in the web management interface (/usr/bin/webmgnt) of the Comfast CF-N1 router enables exploitation of a public-facing application (T1190) and facilitates arbitrary command execution via the network device CLI or web interface injection (T1059.008).

CVEs Like This One

CVE-2025-9585Same product: Comfast Cf-N1
CVE-2026-2534Same product: Comfast Cf-N1
CVE-2026-2535Same product: Comfast Cf-N1
CVE-2025-9583Same product: Comfast Cf-N1
CVE-2025-9581Same product: Comfast Cf-N1
CVE-2025-9582Same product: Comfast Cf-N1
CVE-2025-9586Same product: Comfast Cf-N1
CVE-2026-3798Same vendor: Comfast
CVE-2026-2823Same vendor: Comfast
CVE-2026-2537Same vendor: Comfast

Affected Assets

comfast
cf-n1 firmware
2.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the interface/display_name argument in update_interface_png to reject command metacharacters before they reach the shell.

prevent

Restricts the privileges of the webmgnt process and authenticated users so that any injected commands have only limited effect on the device.

preventrecover

Requires prompt application of firmware patches that eliminate the unsanitized call in update_interface_png once the public exploit is known.

References