CVE-2026-2550
Received Received - Intake
Unrestricted File Upload in EFM iptime A6004MX CGI Module

Publication date: 2026-02-16

Last updated on: 2026-02-16

Assigner: VulDB

Description
A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-16
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2550
EUVD
EUVD-2026-6098
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
efm iptime_a6004mx 14.18.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2550 is a critical security vulnerability in the EFM ipTIME A6004MX router firmware version 14.18.2, specifically in the function commit_vpncli_file_upload within the /cgi/timepro.cgi file.

The vulnerability involves two main issues: an authentication bypass and an arbitrary file upload flaw. Attackers can bypass authentication by accessing sensitive CGI functions through the /cgi/ URL path instead of the intended /sess-bin/ path, circumventing session validation.

The arbitrary file upload flaw allows attackers to upload malicious OpenVPN configuration files (.ovpn) without proper validation of file extensions or content. These files are saved in the system directory and can contain directives that enable execution of arbitrary system commands with root privileges when processed by the VPN service.

This chain of vulnerabilities enables remote code execution (RCE) on the affected device without any authentication, making it highly critical.

Impact Analysis

This vulnerability can have severe impacts on affected systems:

  • Confidentiality: Attackers can access sensitive files such as /etc/shadow and wireless credentials.
  • Integrity: System configurations can be altered, persistent backdoors installed, or firmware modified.
  • Availability: Critical files can be deleted, causing denial of service or device bricking.
  • Remote Code Execution: Attackers can execute arbitrary commands with root privileges on the device.
  • Botnet Potential: The exploit is automatable, enabling mass compromise and recruitment of devices into botnets.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized access attempts to the /cgi/timepro.cgi endpoint on the EFM iptime A6004MX router firmware version 14.18.2. Specifically, look for HTTP requests that bypass authentication by accessing CGI functions through the /cgi/ URL path instead of the intended /sess-bin/ path.'}, {'type': 'paragraph', 'content': 'Network monitoring tools or web server logs can be used to identify suspicious POST requests to /cgi/timepro.cgi that include file uploads, especially those containing .ovpn files.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': "Using tcpdump or tshark to capture HTTP traffic targeting the router's IP on port 80 or 443 and filter for /cgi/timepro.cgi requests."}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)))' | grep '/cgi/timepro.cgi'"}, {'type': 'list_item', 'content': 'Checking web server or router logs for POST requests to /cgi/timepro.cgi with multipart form data containing .ovpn files.'}, {'type': 'list_item', 'content': 'Monitoring for creation of unexpected files in /etc/econf/vpnclient/openvpn/ directory on the router, which may indicate successful arbitrary file upload.'}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable /cgi/timepro.cgi endpoint to prevent unauthenticated attackers from exploiting the vulnerability.'}, {'type': 'list_item', 'content': "Implement strict firewall rules to block external access to the /cgi/timepro.cgi path or the router's management interface from untrusted networks."}, {'type': 'list_item', 'content': 'Disable or restrict remote management features on the router to trusted IP addresses only.'}, {'type': 'list_item', 'content': 'Monitor and audit the router filesystem for unauthorized files, especially in /etc/econf/vpnclient/openvpn/, and remove any suspicious files.'}, {'type': 'list_item', 'content': 'If possible, run the OpenVPN service with least privilege to limit the impact of arbitrary file uploads.'}, {'type': 'paragraph', 'content': 'Since no official vendor patch or fix has been released, these network-level and configuration mitigations are critical to reduce the risk of exploitation.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart