CVE-2026-2534

MediumPublic PoC

Published: 16 February 2026

Published

16 February 2026

Modified

19 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0052 66.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Comfast CF-N1 V2 2.6.0.2. The affected element is the function sub_44AC4C of the file /cgi-bin/mbox-config?method=SET&section=ptest_bandwidth. The manipulation of the argument bandwidth leads to command injection. The attack can be initiated remotely. The exploit has…

been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates command injection by requiring validation of the 'bandwidth' argument in the vulnerable CGI endpoint to neutralize special elements.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific command injection flaw in the router firmware through patching or equivalent measures.

SI-9 Information Input Restrictions good match

prevent

Enforces strict restrictions on the format of the 'bandwidth' input parameter, such as numeric-only values, to block command injection payloads.

Security SummaryAI

CVE-2026-2534 is a command injection vulnerability in the Comfast CF-N1 V2 router running firmware version 2.6.0.2. The issue resides in the function sub_44AC4C within the CGI endpoint /cgi-bin/mbox-config?method=SET&section=ptest_bandwidth, where manipulation of the "bandwidth" argument enables attackers to inject arbitrary commands. This flaw is classified under CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an authenticated attacker with low privileges (PR:L), requiring no user interaction and low complexity. Successful exploitation allows limited impacts, including low-level disclosure of confidential information, modification of data or settings, and denial of service through reduced availability.

Advisories from VulDB and a related GitHub repository detail the vulnerability and provide a proof-of-concept exploit that has been publicly disclosed. No patches or vendor responses are noted, as the manufacturer was contacted early but did not reply; security practitioners should isolate affected devices and consider firmware upgrades if available from alternative sources.

The exploit's public availability increases the risk of active use against exposed Comfast CF-N1 V2 devices.

Details

CWE(s): CWE-74 CWE-77

Affected Products

comfast

cf-n1 firmware

2.6.0.2

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in router CGI endpoint enables remote exploitation of the service (T1210) to execute arbitrary commands, equivalent to Network Device CLI abuse (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/jinhao118/cve/blob/main/ComFast%20Router_1.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346122
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346122
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.748783
Third Party Advisory, VDB Entry · cna@vuldb.com