CVE-2026-2550 is a critical security vulnerability identified in the EFM iptime A6004MX router firmware version 14.18.2. The vulnerability resides in the commit_vpncli_file_upload function of the /cgi/timepro.cgi endpoint, which improperly handles file uploads, allowing an attacker to perform unrestricted file uploads remotely without any authentication or user interaction. This means an attacker can upload arbitrary files, potentially including malicious scripts or binaries, to the device. Such capability can lead to remote code execution, enabling attackers to take full control of the router, manipulate network traffic, install persistent backdoors, or pivot into internal networks. The vulnerability has been assigned a CVSS 4.0 score of 9.3, indicating a critical severity level due to its network attack vector, lack of required privileges, and high impact on confidentiality, integrity, and availability. The exploit has been publicly disclosed, increasing the likelihood of active exploitation. Despite early notification, the vendor EFM has not responded or released patches, leaving devices exposed. The affected product is widely used in consumer and small business environments, particularly in South Korea and neighboring countries, making this a significant threat to those user bases. The vulnerability does not require any authentication or user interaction, which greatly lowers the barrier for exploitation. The lack of vendor response and patch availability exacerbates the risk, emphasizing the need for immediate defensive measures by users and administrators.

The unrestricted file upload vulnerability in the EFM iptime A6004MX router can have severe consequences for affected organizations and users worldwide. Successful exploitation allows attackers to upload and execute arbitrary code remotely, leading to full device compromise. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, installation of persistent malware, and disruption of network services. For enterprises and small businesses relying on these routers for network connectivity, this can lead to data breaches, loss of confidentiality, integrity, and availability of critical systems. The vulnerability also poses risks to home users who may have sensitive personal data or IoT devices connected behind the router. The public availability of exploit code and absence of vendor patches increase the likelihood of widespread attacks. Additionally, compromised routers can be recruited into botnets, amplifying the threat to broader internet infrastructure. Overall, the impact ranges from localized network compromise to large-scale cyber espionage or disruption campaigns, especially in regions with high deployment of the affected devices.

Given the absence of an official patch from the vendor, affected organizations and users should implement immediate and specific mitigation strategies: 1) Disable remote management interfaces on the EFM iptime A6004MX router to prevent external access to the vulnerable upload function. 2) Restrict network access to the router’s management interface by implementing firewall rules that allow only trusted internal IP addresses. 3) Segment the network to isolate the router and critical assets, limiting lateral movement if compromise occurs. 4) Monitor network traffic and router logs for unusual file upload attempts or unexpected changes in configuration. 5) If possible, replace the vulnerable router with a different model or vendor that is actively supported and patched. 6) Employ network intrusion detection systems (NIDS) tuned to detect exploitation attempts targeting this vulnerability. 7) Educate users about the risks and advise against exposing the router’s management interface to the internet. 8) Regularly back up router configurations and maintain incident response plans to quickly recover from potential compromises. These targeted actions go beyond generic advice and address the specific exploitation vector and device characteristics.