A8004t Firmware
CVE-2026-1740
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
EFM ipTIME A8004T firmware versions up to 14.18.2 contain an authentication bypass in the /cgi/timepro.cgi interface that allows remote attackers to circumvent session validation without credentials. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. Successful exploitation grants attackers unauthorized access with potential to read sensitive data, modify configurations, and disrupt service availability.
Technical ContextAI
Classified as CWE-287 (Improper Authentication). Affects A8004T Firmware. A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in A8004t Firmware
View allMultiple ipTIME router models have a command injection vulnerability in the upnp_relay() function, allowing remote attac
The debug interface in EFM ipTIME A8004T firmware versions up to 14.18.2 contains a backdoor vulnerability in the /sess-
The VPN service in EFM ipTIME A8004T firmware 14.18.2 contains an unrestricted file upload vulnerability in the commit_v
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today