CVE-2025-9585
Published: 28 August 2025
Summary
CVE-2025-9585 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-9585 is a command injection vulnerability in Comfast CF-N1 version 2.6.0. It affects the wifilith_delete_pic_file function within the /usr/bin/webmgnt file, where manipulation of the portal_delete_picname argument enables command injection. The issue is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by attackers possessing low privileges, such as authenticated users. Exploitation requires low complexity and no user interaction, potentially allowing limited impacts: partial disclosure of sensitive information (C:L), limited modification of data or processes (I:L), and limited denial of service (A:L).
VulDB advisories (vuldb.com/?ctiid.321698, vuldb.com/?id.321698, vuldb.com/?submit.636136) and a GitHub repository (github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/wifilith_delete_pic_file/readme.md) document the issue. The exploit has been publicly disclosed and may be utilized, as stated in the CVE description, but no specific patch or mitigation details are provided in the available information.
The vulnerability was published on 2025-08-28, highlighting active public exposure of the exploit.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26146
Vulnerability details
A vulnerability was determined in Comfast CF-N1 2.6.0. This affects the function wifilith_delete_pic_file of the file /usr/bin/webmgnt. This manipulation of the argument portal_delete_picname causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly…
more
disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in web management interface (/usr/bin/webmgnt) of Comfast CF-N1 network device enables exploitation of public-facing application (T1190), abuse of network device CLI via injected commands (T1059.008), and indirect command execution (T1202 as assigned by VulDB).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the portal_delete_picname argument to block command injection into wifilith_delete_pic_file.
Limits privileges of the webmgnt process and authenticated users so a successful injection yields only the observed limited C/I/A impact.
Enables monitoring of webmgnt execution and argument values to identify anomalous command-injection patterns from the disclosed exploit.