Command Injection Vulnerability in Comfast CF-N1 V2 Router
CVE-2026-2534

5.3MEDIUM

Key Information:

Vendor: Comfast
Status: Cf-n1 V2
Vendor: CVE Published:; 16 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-2534?

The Comfast CF-N1 V2 version 2.6.0.2 contains a command injection vulnerability within the sub_44AC4C function located in the /cgi-bin/mbox-config?method=SET&section=ptest_bandwidth file. This flaw allows attackers to manipulate the 'bandwidth' argument, potentially leading to unauthorized command execution. Notably, this vulnerability can be exploited remotely, posing a significant risk to network integrity. The exploit has been publicly disclosed, yet the vendor received no response to initial notifications regarding the issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CF-N1 V2 2.6.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-2534 - Proof of Concept

References

https://vuldb.com/?id.346122

vdb-entrytechnical-description

https://vuldb.com/?ctiid.346122

signaturepermissions-required

https://vuldb.com/?submit.748783

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

🟡
Public PoC available
Feb 16, 2026
👾
Exploit known to exist
Feb 16, 2026
Vulnerability published
Feb 16, 2026
Vulnerability Reserved
Feb 15, 2026

Credit

allanp0e (VulDB User)

JSON

Comfast