A6004MX unrestricted file upload (CVE-2026-2550)

Patch now - CVE-2026-2550 is a critical unauthenticated arbitrary file upload in iptime A6004MX router firmware 14.18.2 that grants an attacker complete control over the device and network. No vendor patch has been released, so restrict WAN access urgently.

Security Advisory: Critical Unrestricted File Upload Vulnerability in iptime A6004MX Router

Overview

A critical security flaw has been identified in the EFM iptime A6004MX wireless router, firmware version 14.18.2. The vulnerability resides in a specific function (commit_vpncli_file_upload) within the router’s web management interface (/cgi/timepro.cgi). This flaw allows an unauthenticated attacker to upload arbitrary files to the device without restriction.

Vulnerability Details

In simple terms, the router’s web interface contains a feature for uploading VPN client configuration files. Due to insufficient security checks, this feature does not properly validate what is being uploaded or who is uploading it. An attacker can remotely send a malicious file directly to this interface. Because the attack can be launched without any login credentials, it is exceptionally dangerous.

Impact

If successfully exploited, this vulnerability can have severe consequences:

• Complete System Compromise: An attacker can upload a malicious script or firmware file, potentially gaining full control over the router.
• Network Infiltration: Once the router is compromised, the attacker can intercept, redirect, or monitor all network traffic passing through it (a “man-in-the-middle” attack).
• Malware Distribution: The compromised router can be used to redirect users to phishing sites or infect devices on the local network with malware.
• Persistence: Malicious files could survive router reboots, making the infection difficult to remove.

The public disclosure of an exploit increases the likelihood of widespread attacks.

Remediation and Mitigation Steps

Primary Action: Immediate Firmware Update

1. Check for Updates: Log in to your iptime A6004MX router’s web administration panel. Navigate to the firmware update section (often under “Management” or “System”).
2. Apply Patch: Install the latest official firmware version provided by EFM. If a specific patch for CVE-2026-2550 is listed, apply it immediately. If no update addressing this CVE is yet available, updating to the most recent firmware is still critical, as it may contain a fix.

Critical Interim Mitigations (If No Patch is Available):

• Restrict Access: Immediately disable remote administration (WAN-side access) to the router’s management interface. Ensure it is only accessible from your local network (LAN).
• Network Segmentation: If possible, place the router in a demilitarized zone (DMZ) or behind a firewall that restricts inbound connections to it from the internet.
• Monitor for Compromise: Be vigilant for signs of compromise, such as unexpected configuration changes, slow network performance, or unknown devices listed in the router’s client table.

Vendor Status: The vendor was contacted prior to public disclosure but has not responded. Users should proactively monitor the official EFM website for security announcements and firmware releases.

Note: Due to the critical nature (CVSS 9.8) and public exploit availability, treating this vulnerability with the highest priority is essential for maintaining network security.