Cyber Resilience

CVE-2025-9585

LowPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0085 75.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9585 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9585 is a command injection vulnerability in Comfast CF-N1 version 2.6.0. It affects the wifilith_delete_pic_file function within the /usr/bin/webmgnt file, where manipulation of the portal_delete_picname argument enables command injection. The issue is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely by attackers possessing low privileges, such as authenticated users. Exploitation requires low complexity and no user interaction, potentially allowing limited impacts: partial disclosure of sensitive information (C:L), limited modification of data or processes (I:L), and limited denial of service (A:L).

VulDB advisories (vuldb.com/?ctiid.321698, vuldb.com/?id.321698, vuldb.com/?submit.636136) and a GitHub repository (github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/wifilith_delete_pic_file/readme.md) document the issue. The exploit has been publicly disclosed and may be utilized, as stated in the CVE description, but no specific patch or mitigation details are provided in the available information.

The vulnerability was published on 2025-08-28, highlighting active public exposure of the exploit.

EU & UK References

Vulnerability details

A vulnerability was determined in Comfast CF-N1 2.6.0. This affects the function wifilith_delete_pic_file of the file /usr/bin/webmgnt. This manipulation of the argument portal_delete_picname causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly…

more

disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Remote command injection in web management interface (/usr/bin/webmgnt) of Comfast CF-N1 network device enables exploitation of public-facing application (T1190), abuse of network device CLI via injected commands (T1059.008), and indirect command execution (T1202 as assigned by VulDB).

CVEs Like This One

CVE-2025-9584Same product: Comfast Cf-N1
CVE-2025-9583Same product: Comfast Cf-N1
CVE-2025-9581Same product: Comfast Cf-N1
CVE-2025-9582Same product: Comfast Cf-N1
CVE-2025-9586Same product: Comfast Cf-N1
CVE-2026-2534Same product: Comfast Cf-N1
CVE-2026-2535Same product: Comfast Cf-N1
CVE-2026-3798Same vendor: Comfast
CVE-2026-2823Same vendor: Comfast
CVE-2026-2537Same vendor: Comfast

Affected Assets

comfast
cf-n1 firmware
2.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the portal_delete_picname argument to block command injection into wifilith_delete_pic_file.

prevent

Limits privileges of the webmgnt process and authenticated users so a successful injection yields only the observed limited C/I/A impact.

detect

Enables monitoring of webmgnt execution and argument values to identify anomalous command-injection patterns from the disclosed exploit.

References