Cyber Posture

CVE-2025-9586

MediumPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0050 66.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9586 is a medium-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Indirect Command Execution (T1202); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Indirect Command Execution (T1202).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
Why these techniques?

Remote command injection via the 'mac' parameter in the wireless_device_dissoc function of /usr/bin/webmgnt enables indirect command execution (T1202), as explicitly mapped in the advisory.

NVD Description

A vulnerability was identified in Comfast CF-N1 2.6.0. This vulnerability affects the function wireless_device_dissoc of the file /usr/bin/webmgnt. Such manipulation of the argument mac leads to command injection. The attack may be performed from a remote location. The exploit is…

more

publicly available and might be used.

Deeper analysisAI

CVE-2025-9586 is a command injection vulnerability affecting Comfast CF-N1 firmware version 2.6.0. The issue resides in the wireless_device_dissoc function within the /usr/bin/webmgnt file, where improper handling of the 'mac' argument enables command injection. Published on 2025-08-28, it is associated with CWE-74 and CWE-77, and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker possessing low privileges, requiring no user interaction. Successful exploitation allows arbitrary command execution on the affected device, with limited impacts on confidentiality, integrity, and availability.

Advisories documented on VulDB (ctiid.321699, id.321699, submit.636137) detail the vulnerability, while a GitHub repository provides a publicly available exploit at https://github.com/ZZ2266/.github.io/blob/main/COMFAST/N1V2/wireless_device_dissoc/readme.md. No specific patches or mitigations are referenced in the available information.

The exploit's public availability suggests potential for real-world use against vulnerable Comfast CF-N1 devices.

Details

CWE(s)
CWE-74CWE-77

Affected Products

comfast
cf-n1 firmware
2.6.0

CVEs Like This One

CVE-2025-9583Same product: Comfast Cf-N1
CVE-2025-9585Same product: Comfast Cf-N1
CVE-2025-9581Same product: Comfast Cf-N1
CVE-2025-9582Same product: Comfast Cf-N1
CVE-2025-9584Same product: Comfast Cf-N1
CVE-2026-2535Same product: Comfast Cf-N1
CVE-2026-2534Same product: Comfast Cf-N1
CVE-2026-2537Same vendor: Comfast
CVE-2026-2823Same vendor: Comfast
CVE-2026-2824Same vendor: Comfast

References