CRITICALCVE-2026-2550Published 2026-02-16Modified 2026-02-23CNA VulDB

CVE-2026-2550: EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload

A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

EFM / iptime A6004MX
14.18.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

VDB-346159 | EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload
VDB-346159 | CTI Indicators (IOB, IOC, TTP, IOA)
Submit #749986 | EFM iptime A6004MX 14.18.2 Authentication Bypass & Arbitrary File Upload leading to RCE
github.com

Metrics