cbcvebase.
CVE-2026-2535
published 2026-02-16

CVE-2026-2535: A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
12.48%
95.7th percentile
A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
comfastcf-n1_firmware
comfastcf-n1_v2

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/mbox-config?method=SET&section=ptest_channel
path/cgi-bin/mbox-config
urlhttps://github.com/jinhao118/cve/blob/main/ComFast%20Router_2.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ComFast mbox-config ptest_channel channel Parameter Command Injection Attempt (CVE-2026-2535)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mbox-config|3f|"; fast_pattern; startswith; content:"method|3d|SET"; content:"section|3d|ptest_channel"; http.request_body; content:"|22|channel|22|"; pcre:"/^(?:\x3a(?:\x20\x22|\x22))?[^\x2c\x7d$]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/jinhao118/cve/blob/main/ComFast%20Router_2.md; reference:cve,2026-2535; classtype:attempted-admin; sid:2068157; rev:1; metadata:affected_product ComFast, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_03_11, cve CVE_2026_2535, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /cgi-bin/mbox-config with URI parameters method=SET and section=ptest_channel; the injection payload is delivered in the request body via the 'channel' parameter.
  • Detect command injection shell metacharacters in the channel parameter body: semicolon (;/%3B), newline (\x0a/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The vulnerable function is sub_44AB9C; exploitation is unauthenticated and remote over plaintext HTTP — deploy detection at the network perimeter and internally.
  • Public exploit code is available; treat any matching traffic as high-severity attempted admin access (MITRE T1190 – Exploit Public-Facing Application).
  • ·Affected product is Comfast CF-N1 V2 firmware version 2.6.0.2 only; the Snort/Suricata rule (sid:2068157) targets plaintext HTTP traffic — encrypted or non-standard-port deployments will not be covered by this rule as-is.
  • ·The vendor did not respond to disclosure; no official patch is confirmed. Detection should remain active until a vendor fix is verified.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.