Cyber Resilience

CVE-2026-2550

High

Published: 16 February 2026

Published
16 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2550 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2550 is an unrestricted file upload vulnerability in EFM iptime A6004MX firmware version 14.18.2. The issue affects the commit_vpncli_file_upload function within the /cgi/timepro.cgi file, stemming from CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). Published on 2026-02-16, it carries a CVSS v3.1 base score of 9.8.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful manipulation enables high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary file uploads that could lead to full system compromise.

VulDB advisories and a related GitHub issue document the vulnerability, noting that an exploit has been made public and could be used. The vendor was contacted early for disclosure coordination but provided no response, and no patches or mitigations are mentioned in available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be…

more

used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing CGI endpoint (no auth) directly enables remote exploitation of the web application (T1190) and subsequent deployment of arbitrary malicious files such as web shells (T1100) for code execution and full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4220Shared CWE-284, CWE-434
CVE-2026-0547Shared CWE-284, CWE-434
CVE-2025-7755Shared CWE-284, CWE-434
CVE-2025-1598Shared CWE-284, CWE-434
CVE-2025-15404Shared CWE-284, CWE-434
CVE-2025-15503Shared CWE-284, CWE-434
CVE-2025-9476Shared CWE-284, CWE-434
CVE-2026-7733Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-1593Shared CWE-284, CWE-434

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the commit_vpncli_file_upload function in /cgi/timepro.cgi to prevent unauthorized remote file uploads due to improper access control.

prevent

Validates inputs to the vulnerable file upload function to block dangerous file types and unrestricted uploads as per CWE-434.

prevent

Restricts file types, sizes, and characteristics allowed in commit_vpncli_file_upload to mitigate unrestricted upload of arbitrary files.

References