CVE-2026-2550

Critical

Published: 16 February 2026

Published

16 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 18.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2550 is a critical-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations on the commit_vpncli_file_upload function in /cgi/timepro.cgi to prevent unauthorized remote file uploads due to improper access control.

SI-10 Information Input Validation good match

prevent

Validates inputs to the vulnerable file upload function to block dangerous file types and unrestricted uploads as per CWE-434.

SI-9 Information Input Restrictions good match

prevent

Restricts file types, sizes, and characteristics allowed in commit_vpncli_file_upload to mitigate unrestricted upload of arbitrary files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1100 Web Shell Persistence

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.

attack.mitre.org →

Why these techniques?

Unrestricted file upload in public-facing CGI endpoint (no auth) directly enables remote exploitation of the web application (T1190) and subsequent deployment of arbitrary malicious files such as web shells (T1100) for code execution and full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be…

used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-2550 is an unrestricted file upload vulnerability in EFM iptime A6004MX firmware version 14.18.2. The issue affects the commit_vpncli_file_upload function within the /cgi/timepro.cgi file, stemming from CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). Published on 2026-02-16, it carries a CVSS v3.1 base score of 9.8.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful manipulation enables high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary file uploads that could lead to full system compromise.

VulDB advisories and a related GitHub issue document the vulnerability, noting that an exploit has been made public and could be used. The vendor was contacted early for disclosure coordination but provided no response, and no patches or mitigations are mentioned in available references.