CVE-2026-2534

Name of the Vulnerable Software and Affected Versions Comfast CF-N1 V2 version 2.6.0.2

Description A remote command injection issue exists in Comfast CF-N1 V2 2.6.0.2. The issue is located in the sub 44AC4C function within the /cgi-bin/mbox-config file. Manipulation of the bandwidth argument in the 'ptest bandwidth' section of the file allows for remote code execution. The exploit for this issue has been publicly disclosed. The vendor was notified but did not respond.

Recommendations For Comfast CF-N1 V2 version 2.6.0.2, as a temporary workaround, consider restricting access to the /cgi-bin/mbox-config file to minimize the risk of exploitation. Avoid using the bandwidth parameter in the affected API endpoint /cgi-bin/mbox-config?method=SET&section=ptest bandwidth until the issue is resolved.