CVE-2026-7833
Command Injection in EFM ipTIME C200 Firmware
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| efm | iptime_c200 | to 1.092 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7833 is a command injection vulnerability in the ipTIME C200 IP Camera running firmware version 1.092. It exists in the ApplyRestore endpoint, specifically in the function that processes backup configuration files.
The vulnerability occurs because the device reads configuration values from a file without properly sanitizing or escaping special shell characters. These values are then directly used in a command executed with root privileges.
An attacker with a valid session can craft a malicious configuration archive containing shell commands injected into user ID or password fields. When the device processes this archive, the injected commands are executed, allowing arbitrary command execution with root access.
This vulnerability can be exploited remotely and allows attackers to gain persistent root shell access, potentially by enabling telnet or modifying startup scripts.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands on the affected device with root privileges.
- Remote attackers can gain unauthorized root shell access.
- Attackers can persist access by modifying startup scripts.
- Sensitive data could be exfiltrated from the device.
- The device could be used as a foothold for further attacks within a network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious restore operations on the ApplyRestore endpoint (/cgi/iux_set.cgi) of the ipTIME C200 device, especially those involving configuration files with injected shell commands.
One detection method is to analyze HTTP POST requests to the ApplyRestore endpoint for payloads containing unusual shell characters or backtick injections in the sysset_userid or sysset_userpw fields.
Additionally, after a restore operation, checking for the presence of an unauthenticated telnet shell on the device can indicate exploitation.
- Use network monitoring tools (e.g., Wireshark or tcpdump) to capture HTTP POST requests to /cgi/iux_set.cgi and inspect for suspicious payloads.
- On the device, run commands to check if the telnet service is running unexpectedly, for example: `ps | grep telnetd` or `netstat -an | grep :23`.
- Check device logs or debug output for evidence of executed commands or restore operations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the ApplyRestore endpoint or restricting access to it to trusted users only, as the vulnerability is triggered via this endpoint.
Avoid uploading any configuration restore files from untrusted sources to prevent command injection.
If possible, monitor and disable any unauthorized telnet services that may have been started by an attacker.
Since the vendor has not responded, consider isolating the vulnerable device from untrusted networks until a patch or update is available.
Regularly audit device configurations and running services to detect any unauthorized changes or persistence mechanisms.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote command injection with root privileges on the affected device, potentially enabling unauthorized access, data exfiltration, and persistence mechanisms.
Such unauthorized access and potential data breaches could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.