CVE-2025-9585
Published: 28 August 2025
Summary
CVE-2025-9585 is a medium-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in web management interface (/usr/bin/webmgnt) of Comfast CF-N1 network device enables exploitation of public-facing application (T1190), abuse of network device CLI via injected commands (T1059.008), and indirect command execution (T1202 as assigned by VulDB).
NVD Description
A vulnerability was determined in Comfast CF-N1 2.6.0. This affects the function wifilith_delete_pic_file of the file /usr/bin/webmgnt. This manipulation of the argument portal_delete_picname causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly…
more
disclosed and may be utilized.
Deeper analysisAI
CVE-2025-9585 is a command injection vulnerability in Comfast CF-N1 version 2.6.0. It affects the wifilith_delete_pic_file function within the /usr/bin/webmgnt file, where manipulation of the portal_delete_picname argument enables command injection. The issue is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by attackers possessing low privileges, such as authenticated users. Exploitation requires low complexity and no user interaction, potentially allowing limited impacts: partial disclosure of sensitive information (C:L), limited modification of data or processes (I:L), and limited denial of service (A:L).
VulDB advisories (vuldb.com/?ctiid.321698, vuldb.com/?id.321698, vuldb.com/?submit.636136) and a GitHub repository (github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/wifilith_delete_pic_file/readme.md) document the issue. The exploit has been publicly disclosed and may be utilized, as stated in the CVE description, but no specific patch or mitigation details are provided in the available information.
The vulnerability was published on 2025-08-28, highlighting active public exposure of the exploit.
Details
- CWE(s)