CVE-2026-7833
Deferred Deferred - Pending Action
Command Injection in EFM ipTIME C200 Firmware

Publication date: 2026-05-05

Last updated on: 2026-05-05

Assigner: VulDB

Description
A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component ApplyRestore Endpoint. This manipulation of the argument RestoreFile causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7833
EUVD
EUVD-2026-27319
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
efm iptime_c200 to 1.092 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote command injection with root privileges on the affected device, potentially enabling unauthorized access, data exfiltration, and persistence mechanisms.

Such unauthorized access and potential data breaches could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Executive Summary

CVE-2026-7833 is a command injection vulnerability in the ipTIME C200 IP Camera running firmware version 1.092. It exists in the ApplyRestore endpoint, specifically in the function that processes backup configuration files.

The vulnerability occurs because the device reads configuration values from a file without properly sanitizing or escaping special shell characters. These values are then directly used in a command executed with root privileges.

An attacker with a valid session can craft a malicious configuration archive containing shell commands injected into user ID or password fields. When the device processes this archive, the injected commands are executed, allowing arbitrary command execution with root access.

This vulnerability can be exploited remotely and allows attackers to gain persistent root shell access, potentially by enabling telnet or modifying startup scripts.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected device with root privileges.

  • Remote attackers can gain unauthorized root shell access.
  • Attackers can persist access by modifying startup scripts.
  • Sensitive data could be exfiltrated from the device.
  • The device could be used as a foothold for further attacks within a network.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious restore operations on the ApplyRestore endpoint (/cgi/iux_set.cgi) of the ipTIME C200 device, especially those involving configuration files with injected shell commands.

One detection method is to analyze HTTP POST requests to the ApplyRestore endpoint for payloads containing unusual shell characters or backtick injections in the sysset_userid or sysset_userpw fields.

Additionally, after a restore operation, checking for the presence of an unauthenticated telnet shell on the device can indicate exploitation.

  • Use network monitoring tools (e.g., Wireshark or tcpdump) to capture HTTP POST requests to /cgi/iux_set.cgi and inspect for suspicious payloads.
  • On the device, run commands to check if the telnet service is running unexpectedly, for example: `ps | grep telnetd` or `netstat -an | grep :23`.
  • Check device logs or debug output for evidence of executed commands or restore operations.
Mitigation Strategies

Immediate mitigation steps include disabling the ApplyRestore endpoint or restricting access to it to trusted users only, as the vulnerability is triggered via this endpoint.

Avoid uploading any configuration restore files from untrusted sources to prevent command injection.

If possible, monitor and disable any unauthorized telnet services that may have been started by an attacker.

Since the vendor has not responded, consider isolating the vulnerable device from untrusted networks until a patch or update is available.

Regularly audit device configurations and running services to detect any unauthorized changes or persistence mechanisms.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart