CVE-2026-2550
Unrestricted File Upload in EFM iptime A6004MX CGI Module
Publication date: 2026-02-16
Last updated on: 2026-02-16
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| efm | iptime_a6004mx | 14.18.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2550 is a critical security vulnerability in the EFM ipTIME A6004MX router firmware version 14.18.2, specifically in the function commit_vpncli_file_upload within the /cgi/timepro.cgi file.
The vulnerability involves two main issues: an authentication bypass and an arbitrary file upload flaw. Attackers can bypass authentication by accessing sensitive CGI functions through the /cgi/ URL path instead of the intended /sess-bin/ path, circumventing session validation.
The arbitrary file upload flaw allows attackers to upload malicious OpenVPN configuration files (.ovpn) without proper validation of file extensions or content. These files are saved in the system directory and can contain directives that enable execution of arbitrary system commands with root privileges when processed by the VPN service.
This chain of vulnerabilities enables remote code execution (RCE) on the affected device without any authentication, making it highly critical.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on affected systems:
- Confidentiality: Attackers can access sensitive files such as /etc/shadow and wireless credentials.
- Integrity: System configurations can be altered, persistent backdoors installed, or firmware modified.
- Availability: Critical files can be deleted, causing denial of service or device bricking.
- Remote Code Execution: Attackers can execute arbitrary commands with root privileges on the device.
- Botnet Potential: The exploit is automatable, enabling mass compromise and recruitment of devices into botnets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized access attempts to the /cgi/timepro.cgi endpoint on the EFM iptime A6004MX router firmware version 14.18.2. Specifically, look for HTTP requests that bypass authentication by accessing CGI functions through the /cgi/ URL path instead of the intended /sess-bin/ path.'}, {'type': 'paragraph', 'content': 'Network monitoring tools or web server logs can be used to identify suspicious POST requests to /cgi/timepro.cgi that include file uploads, especially those containing .ovpn files.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Using tcpdump or tshark to capture HTTP traffic targeting the router's IP on port 80 or 443 and filter for /cgi/timepro.cgi requests."}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)))' | grep '/cgi/timepro.cgi'"}, {'type': 'list_item', 'content': 'Checking web server or router logs for POST requests to /cgi/timepro.cgi with multipart form data containing .ovpn files.'}, {'type': 'list_item', 'content': 'Monitoring for creation of unexpected files in /etc/econf/vpnclient/openvpn/ directory on the router, which may indicate successful arbitrary file upload.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable /cgi/timepro.cgi endpoint to prevent unauthenticated attackers from exploiting the vulnerability.'}, {'type': 'list_item', 'content': "Implement strict firewall rules to block external access to the /cgi/timepro.cgi path or the router's management interface from untrusted networks."}, {'type': 'list_item', 'content': 'Disable or restrict remote management features on the router to trusted IP addresses only.'}, {'type': 'list_item', 'content': 'Monitor and audit the router filesystem for unauthorized files, especially in /etc/econf/vpnclient/openvpn/, and remove any suspicious files.'}, {'type': 'list_item', 'content': 'If possible, run the OpenVPN service with least privilege to limit the impact of arbitrary file uploads.'}, {'type': 'paragraph', 'content': 'Since no official vendor patch or fix has been released, these network-level and configuration mitigations are critical to reduce the risk of exploitation.'}] [2, 3]