Description
A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET&section=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-02-16
Score: 5.3 Medium
EPSS: 10.5% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw was discovered in the Comfast CF‑N1 V2 router firmware 2.6.0.2. The vulnerability resides in the sub_44AB9C routine of the /cgi‑bin/mbox‑config CGI handler. By supplying a specially crafted value for the channel parameter, an attacker can execute arbitrary operating‑system commands on the router, which can lead to full remote compromise, allowing data exfiltration or pivoting to other internal assets. The flaw is reportable as a remote attack that requires only an ability to reach the router’s management interface over HTTP or HTTPS.

Affected Systems

The impact is limited to Comfast CF‑N1 V2 routers running firmware version 2.6.0.2. Earlier firmware releases are not mentioned as affected, and no other manufacturers or products are known to be impacted. Management interfaces that expose the /cgi‑bin/mbox‑config endpoint remain the only affected component.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. The EPSS score is 10 %, suggesting a low current exploitation probability. The vulnerability is publicly available and can be launched remotely. The description states that manipulating the channel argument can lead to arbitrary OS command execution via command injection. Based on the description, it is inferred that authentication may not be required to reach the /cgi-bin/mbox-config endpoint, but this is not explicitly confirmed by the CVE data. The vulnerability is not listed in the CISA KEV catalog, so it has not yet been confirmed as exploited in the wild.

Generated by OpenCVE AI on June 18, 2026 at 10:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to the latest firmware from Comfast’s official download page to patch the command‑injection flaw (CWE‑77) and related input‑validation issues (CWE‑74).
  • If a patch is unavailable, restrict external access to the /cgi‑bin/mbox‑config interface by configuring firewall rules or disabling remote management, thereby preventing unauthenticated exploitation.
  • Place the router behind a perimeter firewall and allow management traffic only from a secure internal network or dedicated VLAN; monitor logs for anomalous activity that may indicate attempted command injection.

Generated by OpenCVE AI on June 18, 2026 at 10:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Comfast cf-n1 Firmware
CPEs cpe:2.3:h:comfast:cf-n1:2:*:*:*:*:*:*:*
cpe:2.3:o:comfast:cf-n1_firmware:2.6.0.2:*:*:*:*:*:*:*
Vendors & Products Comfast cf-n1 Firmware

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Comfast
Comfast cf-n1
Vendors & Products Comfast
Comfast cf-n1

Mon, 16 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET&section=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Comfast CF-N1 V2 mbox-config sub_44AB9C command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Comfast Cf-n1 Cf-n1 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:05:37.645Z

Reserved: 2026-02-15T09:15:24.085Z

Link: CVE-2026-2535

cve-icon Vulnrichment

Updated: 2026-02-17T17:07:11.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T05:16:07.777

Modified: 2026-06-17T10:31:15.863

Link: CVE-2026-2535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:00:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')