A8004t Firmware
Monthly
The VPN service in EFM ipTIME A8004T firmware 14.18.2 contains an unrestricted file upload vulnerability in the commit_vpncli_file_upload function that allows authenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker with high-level privileges could exploit this to upload malicious files and potentially compromise the device.
The debug interface in EFM ipTIME A8004T firmware versions up to 14.18.2 contains a backdoor vulnerability in the /sess-bin/d.cgi component that can be exploited remotely through manipulation of the cmd parameter, allowing authenticated attackers with high privileges to achieve unauthorized access. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification of the disclosure.
EFM ipTIME A8004T firmware versions up to 14.18.2 contain an authentication bypass in the /cgi/timepro.cgi interface that allows remote attackers to circumvent session validation without credentials. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. Successful exploitation grants attackers unauthorized access with potential to read sensitive data, modify configurations, and disrupt service availability.
Multiple ipTIME router models have a command injection vulnerability in the upnp_relay() function, allowing remote attackers to execute arbitrary OS commands through crafted UPnP requests.
The VPN service in EFM ipTIME A8004T firmware 14.18.2 contains an unrestricted file upload vulnerability in the commit_vpncli_file_upload function that allows authenticated remote attackers to upload arbitrary files. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker with high-level privileges could exploit this to upload malicious files and potentially compromise the device.
The debug interface in EFM ipTIME A8004T firmware versions up to 14.18.2 contains a backdoor vulnerability in the /sess-bin/d.cgi component that can be exploited remotely through manipulation of the cmd parameter, allowing authenticated attackers with high privileges to achieve unauthorized access. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification of the disclosure.
EFM ipTIME A8004T firmware versions up to 14.18.2 contain an authentication bypass in the /cgi/timepro.cgi interface that allows remote attackers to circumvent session validation without credentials. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. Successful exploitation grants attackers unauthorized access with potential to read sensitive data, modify configurations, and disrupt service availability.
Multiple ipTIME router models have a command injection vulnerability in the upnp_relay() function, allowing remote attackers to execute arbitrary OS commands through crafted UPnP requests.