CVE-2026-2535 is a command injection vulnerability identified in the Comfast CF-N1 V2 router firmware version 2.6.0.2. The vulnerability resides in the function sub_44AB9C within the CGI script /cgi-bin/mbox-config, specifically when processing the 'channel' parameter in requests to the endpoint with method=SET and section=ptest_channel. Improper input validation allows an attacker to inject arbitrary shell commands remotely without requiring authentication or user interaction. This flaw enables remote code execution on the device, potentially allowing attackers to take full control of the router, manipulate network traffic, or pivot into internal networks. The vulnerability was responsibly disclosed, but the vendor has not responded or released any patches. The exploit code has been publicly disclosed, increasing the likelihood of exploitation by threat actors. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and low impact on confidentiality, integrity, and availability, resulting in a medium severity rating (5.3). The lack of vendor patching and public exploit availability make this a significant risk for affected deployments.

For European organizations, exploitation of CVE-2026-2535 could lead to unauthorized control over Comfast CF-N1 V2 routers, which are often used in small office or home office environments or as part of branch network infrastructure. Attackers could execute arbitrary commands to disrupt network connectivity, intercept or redirect traffic, or use the compromised device as a foothold for further attacks within the corporate network. This could result in data breaches, service outages, or lateral movement to more critical systems. The medium severity score reflects moderate impact, but the ease of exploitation and lack of authentication increase the risk. Organizations relying on these devices for critical connectivity or with weak network segmentation are particularly vulnerable. The absence of vendor patches means that affected devices remain exposed until mitigations are applied or devices replaced.

Given the lack of vendor response and absence of patches, European organizations should implement compensating controls immediately. These include disabling remote management interfaces on Comfast CF-N1 V2 devices to prevent external exploitation, restricting network access to the device management interface via firewall rules or VPNs, and segmenting the network to isolate vulnerable devices from critical infrastructure. Monitoring network traffic for unusual activity or command injection attempts targeting the /cgi-bin/mbox-config endpoint is advised. Where possible, replace affected devices with updated or alternative hardware from vendors with active security support. Additionally, organizations should maintain an inventory of Comfast devices to identify and prioritize remediation. Applying strict access controls and regularly auditing device configurations can reduce the attack surface. Finally, educating users about the risks of unmanaged network devices can help prevent inadvertent exposure.