CVE-2025-9585
BaseFortify
Publication date: 2025-08-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comfast | cf-n1_firmware | 2.6.0 |
| comfast | cf-n1 | 2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9585 is a command injection vulnerability in the Comfast CF-N1 device running firmware version 2.6.0. It exists in the function wifilith_delete_pic_file within the binary /usr/bin/webmgnt. The vulnerability occurs because the portal_delete_picname argument is not properly sanitized, allowing an attacker to inject arbitrary system commands remotely. This can lead to unauthorized execution of commands on the device. [1, 2]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to execute arbitrary system commands on the affected device remotely. This can lead to unauthorized access to sensitive information, compromise of the device's confidentiality, integrity, and availability, and potentially complete control over the device. The attack complexity is low and no mitigations currently exist, making it a significant risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for exploitation attempts targeting the portal_delete_picname parameter in the /usr/bin/webmgnt binary, specifically the wifilith_delete_pic_file function. Since the vulnerability is a command injection, suspicious command execution or unusual system behavior related to this API may indicate exploitation. Network intrusion detection systems (NIDS) can be configured to look for unusual HTTP requests or parameters containing shell metacharacters targeting this endpoint. Specific commands to detect exploitation attempts are not provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include considering replacement of the affected Comfast CF-N1 device running firmware version 2.6.0, as no known mitigations or countermeasures currently exist. Restricting network access to the vulnerable device and monitoring for exploitation attempts are recommended. Applying any available firmware updates or patches from the vendor should be prioritized if released. Since the vulnerability allows remote command injection with low attack complexity, isolating the device from untrusted networks can reduce risk. [2]