CVE-2026-2535

MediumPublic PoC

Published: 16 February 2026

Published

16 February 2026

Modified

19 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0052 66.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET&section=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been…

made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation and sanitization of the 'channel' argument in the vulnerable CGI endpoint.

SI-2 Flaw Remediation good match

preventrecover

Addresses the specific known flaw in firmware version 2.6.0.2 through timely remediation, patching, or workarounds despite vendor non-response.

CM-7 Least Functionality good match

prevent

Mitigates exposure by restricting or disabling the unnecessary 'ptest_channel' functionality and associated CGI endpoint.

Security SummaryAI

CVE-2026-2535 is a command injection vulnerability affecting the Comfast CF-N1 V2 router running firmware version 2.6.0.2. The issue resides in the sub_44AB9C function within the /cgi-bin/mbox-config?method=SET&section=ptest_channel endpoint, where manipulation of the 'channel' argument enables arbitrary command execution. This flaw is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by attackers who possess low privileges, such as authenticated users on the device. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution within the context of the affected component. No user interaction is required, and the low attack complexity makes it accessible over the network.

Advisories from VulDB and a public GitHub repository detail the vulnerability, including a proof-of-concept exploit. The vendor was notified early but provided no response or patch, leaving affected devices without official mitigation. Security practitioners should consider network segmentation, disabling the affected endpoint if possible, or upgrading firmware if updates become available.

The exploit has been publicly disclosed and could be actively used in the wild, increasing the risk for exposed Comfast CF-N1 V2 devices.

Details

CWE(s): CWE-74 CWE-77

Affected Products

comfast

cf-n1 firmware

2.6.0.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection via web management endpoint on a network-exposed router enables exploitation of public-facing applications (T1190) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/jinhao118/cve/blob/main/ComFast%20Router_2.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.346123
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.346123
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.748784
Third Party Advisory, VDB Entry · cna@vuldb.com