CVE-2026-2534
published 2026-02-16CVE-2026-2534: A vulnerability has been found in Comfast CF-N1 V2 2.6.0.2. The affected element is the function sub_44AC4C of the file…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
12.04%
95.6th percentile
A vulnerability has been found in Comfast CF-N1 V2 2.6.0.2. The affected element is the function sub_44AC4C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_bandwidth. The manipulation of the argument bandwidth leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comfast | cf-n1_firmware | — | — |
| comfast | cf-n1_v2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/jinhao118/cve/blob/main/ComFast%20Router_1.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_bandwidth bandwidth Parameter Command Injection Attempt (CVE-2026-2534)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mbox-config|3f|"; fast_pattern; startswith; content:"method|3d|SET"; content:"section|3d|ptest_bandwidth"; http.request_body; content:"|22|bandwidth|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/jinhao118/cve/blob/main/ComFast%20Router_1.md; reference:cve,2026-2534; classtype:attempted-admin; sid:2068156; rev:1;)
- →Exploit traffic is HTTP POST only; filter on POST method to /cgi-bin/mbox-config URI.
- →Request must contain both 'method=SET' and 'section=ptest_bandwidth' query parameters to be targeted at the vulnerable endpoint.
- →Injection payload is carried in the POST request body inside the 'bandwidth' JSON/form field; look for shell metacharacters: semicolon (;/%3B), newline (%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) following the bandwidth value.
- →Exploitation is remote and unauthenticated; the vulnerable function is sub_44AC4C in the device firmware. Prioritize perimeter and internal network monitoring for Comfast CF-N1 V2 devices. ↗
- →Traffic is plaintext HTTP (not TLS); detection should be applied at perimeter and internal network segments.
- ·Affected product is specifically Comfast CF-N1 V2 firmware version 2.6.0.2; scope detection rules to this device/version to reduce false positives. ↗
- ·The vendor did not respond to disclosure; no patch is confirmed available. Mitigation must rely on network-level controls. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_bandwidth bandwidth Parameter Command Injection Attempt (CVE-2026-2534)
suricata·2026-03-11·CVSS 5.3
CVE-2026-2534 [MEDIUM] ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_bandwidth bandwidth Parameter Command Injection Attempt (CVE-2026-2534)
ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_bandwidth bandwidth Parameter Command Injection Attempt (CVE-2026-2534)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_bandwidth bandwidth Parameter Command Injection Attempt (CVE-2026-2534)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mbox-config|3f|"; fast_pattern; startswith; content:"method|3d|SET"; content:"section|3d|ptest_bandwidth"; http.request_body; content:"|22|bandwidth|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/jinhao118/cve/blob/main/ComFast%20Router_1.md; reference:cve,2026-2534; classtype:attempted-admin; sid:2068156; rev
No public exploits indexed.
No writeups or analysis indexed.
2026-02-16
Published