Cyber Resilience

CVE-2025-9586

LowPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0085 75.3th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9586 is a low-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Indirect Command Execution (T1202); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-9586 is a command injection vulnerability affecting Comfast CF-N1 firmware version 2.6.0. The issue resides in the wireless_device_dissoc function within the /usr/bin/webmgnt file, where improper handling of the 'mac' argument enables command injection. Published on 2025-08-28, it is associated with CWE-74 and CWE-77, and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker possessing low privileges, requiring no user interaction. Successful exploitation allows arbitrary command execution on the affected device, with limited impacts on confidentiality, integrity, and availability.

Advisories documented on VulDB (ctiid.321699, id.321699, submit.636137) detail the vulnerability, while a GitHub repository provides a publicly available exploit at https://github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/wireless_device_dissoc/readme.md. No specific patches or mitigations are referenced in the available information.

The exploit's public availability suggests potential for real-world use against vulnerable Comfast CF-N1 devices.

EU & UK References

Vulnerability details

A vulnerability was identified in Comfast CF-N1 2.6.0. This vulnerability affects the function wireless_device_dissoc of the file /usr/bin/webmgnt. Such manipulation of the argument mac leads to command injection. The attack may be performed from a remote location. The exploit is…

more

publicly available and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Remote command injection via the 'mac' parameter in the wireless_device_dissoc function of /usr/bin/webmgnt enables indirect command execution (T1202), as explicitly mapped in the advisory.

CVEs Like This One

CVE-2025-9583Same product: Comfast Cf-N1
CVE-2025-9581Same product: Comfast Cf-N1
CVE-2025-9585Same product: Comfast Cf-N1
CVE-2025-9582Same product: Comfast Cf-N1
CVE-2025-9584Same product: Comfast Cf-N1
CVE-2026-2534Same product: Comfast Cf-N1
CVE-2026-2535Same product: Comfast Cf-N1
CVE-2026-2537Same vendor: Comfast
CVE-2026-3798Same vendor: Comfast
CVE-2026-2823Same vendor: Comfast

Affected Assets

comfast
cf-n1 firmware
2.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the 'mac' argument in wireless_device_dissoc to block command injection payloads before execution.

prevent

Limits privileges of the webmgnt process or remote accounts so that successful injection yields only minimal impact on the CF-N1 device.

detect

Verifies integrity of /usr/bin/webmgnt and detects unauthorized command execution or tampering from the public exploit.

References