Skip to main content

EFM ipTIME C200 EUVDEUVD-2026-27319

| CVE-2026-7833 HIGH
Command Injection (CWE-77)
2026-05-05 VulDB GHSA-m3xj-gqh8-33xm
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 13:31 vuln.today
CVSS changed
May 05, 2026 - 13:22 NVD
7.2 (HIGH) 7.3 (HIGH)

DescriptionCVE.org

A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component ApplyRestore Endpoint. This manipulation of the argument RestoreFile causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote command injection in EFM ipTIME C200 camera firmware (versions up to 1.092) allows authenticated administrators to execute arbitrary system commands via malicious file upload to the ApplyRestore endpoint. The vulnerability exists in the sub_408F90 function processing the RestoreFile parameter in /cgi/iux_set.cgi. Exploitation probability is elevated by publicly available proof-of-concept code demonstrating the attack technique, though no active exploitation has been confirmed by CISA KEV at time of analysis. Vendor has been unresponsive to disclosure attempts, indicating no official patch timeline.

Technical ContextAI

This vulnerability is a classic OS command injection (CWE-77) affecting the configuration restoration feature of the ipTIME C200 IP camera. The affected function sub_408F90 in /cgi/iux_set.cgi fails to properly sanitize the RestoreFile argument when processing uploaded configuration backup files through the ApplyRestore endpoint. Command injection vulnerabilities occur when untrusted input is concatenated into system shell commands without validation, allowing attackers to break out of the intended command context using shell metacharacters (semicolons, pipes, backticks). IP cameras and IoT devices commonly implement configuration backup/restore via CGI scripts that invoke system utilities like tar, gzip, or custom shell scripts, making them frequent targets for command injection if input validation is insufficient. The CPE identifier cpe:2.3:a:efm:iptime_c200 confirms this affects EFM Networks' ipTIME C200 camera product line.

RemediationAI

No vendor-released patch identified at time of analysis due to manufacturer non-response to disclosure. Until an official fix is released, implement these SPECIFIC compensating controls: (1) Restrict network access to the camera's web management interface to trusted administrator IP addresses only via firewall rules or VLAN segmentation, blocking internet exposure entirely - this prevents remote exploitation but requires static admin IPs and blocks legitimate remote management. (2) Disable or restrict access to the /cgi/iux_set.cgi endpoint and ApplyRestore functionality via reverse proxy rules or web application firewall if the device supports it - this breaks configuration restore features but blocks the attack vector. (3) Enforce strong unique admin passwords (16+ characters) and enable account lockout if supported to reduce credential compromise risk - does not prevent exploitation if credentials are stolen but raises attacker cost. (4) Monitor device system logs for unexpected process execution or configuration changes - provides detection but no prevention. (5) Consider replacing affected devices with patched alternatives if this is mission-critical infrastructure and vendor remains unresponsive. See proof-of-concept details at https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/c200/sub_409054_vulnerability_report_EN.md to understand attack patterns for detection rules.

Share

EUVD-2026-27319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy