EFM CVE-2026-2550
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
ipTIME A6004MX router has an access control vulnerability in VPN client configuration enabling unauthorized network access.
Technical ContextAI
ipTIME A6004MX firmware 14.18.2 has a CWE-284 access control vulnerability in the commit_vpncli_file function.
Affected ProductsAI
ipTIME A6004MX firmware 14.18.2
RemediationAI
Update firmware. Restrict management access.
Same weakness CWE-284 – Improper Access Control
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today