A8004t Firmware
CVE-2026-1742
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
The VPN service in EFM ipTIME A8004T firmware 14.18.2 contains an unrestricted file upload vulnerability in the commit_vpncli_file_upload function that allows authenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker with high-level privileges could exploit this to upload malicious files and potentially compromise the device.
Technical ContextAI
Classified as CWE-284 (Improper Access Control). Affects A8004T Firmware. A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
More in A8004t Firmware
View allMultiple ipTIME router models have a command injection vulnerability in the upnp_relay() function, allowing remote attac
The debug interface in EFM ipTIME A8004T firmware versions up to 14.18.2 contains a backdoor vulnerability in the /sess-
EFM ipTIME A8004T firmware versions up to 14.18.2 contain an authentication bypass in the /cgi/timepro.cgi interface tha
Same weakness CWE-284 – Improper Access Control
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today