CVE-2026-2534
Published: 16 February 2026
Summary
CVE-2026-2534 is a medium-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 33.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation of the 'bandwidth' argument in the vulnerable CGI endpoint to neutralize special elements.
Requires timely remediation of the specific command injection flaw in the router firmware through patching or equivalent measures.
Enforces strict restrictions on the format of the 'bandwidth' input parameter, such as numeric-only values, to block command injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router CGI endpoint enables remote exploitation of the service (T1210) to execute arbitrary commands, equivalent to Network Device CLI abuse (T1059.008).
NVD Description
A vulnerability has been found in Comfast CF-N1 V2 2.6.0.2. The affected element is the function sub_44AC4C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_bandwidth. The manipulation of the argument bandwidth leads to command injection. The attack can be initiated remotely. The exploit has…
more
been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2534 is a command injection vulnerability in the Comfast CF-N1 V2 router running firmware version 2.6.0.2. The issue resides in the function sub_44AC4C within the CGI endpoint /cgi-bin/mbox-config?method=SET§ion=ptest_bandwidth, where manipulation of the "bandwidth" argument enables attackers to inject arbitrary commands. This flaw is classified under CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation allows limited impacts, including low-level disclosure of confidential information, modification of data or settings, and denial of service through reduced availability.
Advisories from VulDB and a related GitHub repository detail the vulnerability and provide a proof-of-concept exploit that has been publicly disclosed. No patches or vendor responses are noted, as the manufacturer was contacted early but did not reply; security practitioners should isolate affected devices and consider firmware upgrades if available from alternative sources.
The exploit's public availability increases the risk of active use against exposed Comfast CF-N1 V2 devices.
Details
- CWE(s)