CVE-2026-1740
Improper Authentication in EFM ipTIME A8004T Remote Interface
Publication date: 2026-02-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iptime | a8004t_firmware | 14.18.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1740 is a critical improper authentication vulnerability in the EFM ipTIME A8004T router firmware version 14.18.2. It exists in the function httpcon_check_session_url within the /cgi/timepro.cgi file of the hiddenloginsetup interface. The flaw allows an attacker to bypass authentication remotely without any credentials by exploiting a logical flaw where authentication is only enforced if the request URL starts with '/sess-bin/'. By sending requests to '/cgi/timepro.cgi', the attacker can skip authentication checks and gain unauthorized access, including the ability to forcibly reset the administrator's password using an unauthenticated CAPTCHA token request. [1, 2]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing remote attackers to bypass authentication and gain unauthorized access to the router's hidden administrative interface. They can forcibly reset the administrator password, compromising the confidentiality, integrity, and availability of the device. This could lead to full control over the router, enabling malicious activities such as network interception, configuration changes, or denial of service. Since the vulnerability is unpatched and exploits are publicly available, the risk is high. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring HTTP requests to the affected device for suspicious access to the /cgi/timepro.cgi endpoint without proper authentication. Specifically, look for requests that do not start with the prefix "/sess-bin/" but still access /cgi/timepro.cgi, as this indicates attempts to bypass authentication. Network monitoring tools or web server logs can be used to identify such requests. For example, using command-line tools like tcpdump or tshark to capture HTTP traffic and grep to filter requests: tcpdump -i <interface> -A 'tcp port 80' | grep '/cgi/timepro.cgi' or tshark -Y 'http.request.uri contains "/cgi/timepro.cgi"' -T fields -e http.request.uri. Additionally, checking router logs for unauthorized password reset attempts or unusual access patterns to the hiddenloginsetup interface may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Since no patches or vendor mitigations are available, immediate steps include restricting access to the affected device by limiting network exposure, such as placing the router behind a firewall or VPN and blocking external access to the /cgi/timepro.cgi endpoint. Consider disabling remote management features if possible. Monitoring for suspicious activity and unauthorized access attempts is critical. Ultimately, replacing the affected product with a secure alternative is recommended to fully mitigate the risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.