CVE-2026-2535
Published: 16 February 2026
Summary
CVE-2026-2535 is a medium-severity Injection (CWE-74) vulnerability in Comfast Cf-N1 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation and sanitization of the 'channel' argument in the vulnerable CGI endpoint.
Addresses the specific known flaw in firmware version 2.6.0.2 through timely remediation, patching, or workarounds despite vendor non-response.
Mitigates exposure by restricting or disabling the unnecessary 'ptest_channel' functionality and associated CGI endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via web management endpoint on a network-exposed router enables exploitation of public-facing applications (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been…
more
made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-2535 is a command injection vulnerability affecting the Comfast CF-N1 V2 router running firmware version 2.6.0.2. The issue resides in the sub_44AB9C function within the /cgi-bin/mbox-config?method=SET§ion=ptest_channel endpoint, where manipulation of the 'channel' argument enables arbitrary command execution. This flaw is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by attackers who possess low privileges, such as authenticated users on the device. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution within the context of the affected component. No user interaction is required, and the low attack complexity makes it accessible over the network.
Advisories from VulDB and a public GitHub repository detail the vulnerability, including a proof-of-concept exploit. The vendor was notified early but provided no response or patch, leaving affected devices without official mitigation. Security practitioners should consider network segmentation, disabling the affected endpoint if possible, or upgrading firmware if updates become available.
The exploit has been publicly disclosed and could be actively used in the wild, increasing the risk for exposed Comfast CF-N1 V2 devices.
Details
- CWE(s)