CVE-2026-2550 - EFM iptime A6004MX - Unrestricted File Upload

Overview

EFM iptime A6004MX 14.18.2 contains an unrestricted file upload vulnerability caused by manipulation in commit_vpncli_file_upload function in /cgi/timepro.cgi, letting remote attackers upload arbitrary files, exploit requires no special privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Remote attackers can upload arbitrary files, potentially leading to remote code execution or system compromise.

Mitigation

Update to the latest version or apply vendor patches when available.

References

Social Media Activity(4 posts)

Offensive Sequence

@offseq

Feb 16, 2026

CVE-2026-2550 (CRITICAL): EFM iptime A6004MX (fw 14.18.2) allows unauthenticated uploads via /cgi/timepro.cgi — enabling full device compromise. No patch yet. Block access & monitor for malicious activity. https://radar.offseq.com/threat/cve-2026-2550-unrestricted-upload-in-efm-iptime-a6-a8baac0d #OffSeq #Vuln #RouterSecurity #CVE2026

View original post

Offensive Sequence

@offseq

Feb 16, 2026

CVE-2026-2550 (CRITICAL, CVSS 9.3) in EFM iptime A6004MX 14.18.2: Unrestricted remote file upload via /cgi/timepro.cgi. Exploit public, no vendor response. Isolate affected devices ASAP. https://radar.offseq.com/threat/cve-2026-2550-unrestricted-upload-in-efm-iptime-a6-a8baac0d #OffSeq #Vulnerability #InfoSec #RouterSecurity

View original post

Offensive Sequence

@offseq

Feb 16, 2026

CVE-2026-2550 (CRITICAL): EFM iptime A6004MX (fw 14.18.2) allows unauthenticated uploads via /cgi/timepro.cgi — enabling full device compromise. No patch yet. Block access & monitor for malicious activity. https://radar.offseq.com/threat/cve-2026-2550-unrestricted-upload-in-efm-iptime-a6-a8baac0d #OffSeq #Vuln #RouterSecurity #CVE2026

View original post

Offensive Sequence

@offseq

Feb 16, 2026

CVE-2026-2550 (CRITICAL, CVSS 9.3) in EFM iptime A6004MX 14.18.2: Unrestricted remote file upload via /cgi/timepro.cgi. Exploit public, no vendor response. Isolate affected devices ASAP. https://radar.offseq.com/threat/cve-2026-2550-unrestricted-upload-in-efm-iptime-a6-a8baac0d #OffSeq #Vulnerability #InfoSec #RouterSecurity

View original post

CVE-2026-2550 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(4 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score