Skip to content
Threat Feed
critical threat

EFM ipTIME C200 Command Injection Vulnerability

EFM ipTIME C200 devices are vulnerable to remote command injection due to insufficient validation of the RestoreFile argument in the /cgi/iux_set.cgi endpoint, allowing attackers to execute arbitrary commands with elevated privileges.

A critical command injection vulnerability, CVE-2026-7833, affects EFM ipTIME C200 devices up to version 1.092. The vulnerability resides within the sub_408F90 function of the /cgi/iux_set.cgi file, specifically the ApplyRestore Endpoint. By manipulating the RestoreFile argument, an attacker can inject arbitrary commands that will be executed on the device. The vulnerability can be exploited remotely and proof-of-concept exploit code is publicly available. The vendor was notified but did not respond, increasing the risk to users of these devices. This vulnerability allows for complete system compromise of affected devices.

Attack Chain

  1. The attacker sends a crafted HTTP POST request to /cgi/iux_set.cgi.
  2. The request includes the RestoreFile argument containing a command injection payload within the ApplyRestore endpoint.
  3. The sub_408F90 function processes the RestoreFile argument without proper sanitization.
  4. The injected command is executed with the privileges of the webserver process.
  5. The attacker gains arbitrary code execution on the device.
  6. The attacker pivots to internal network if the device acts as a gateway.
  7. The attacker may install persistent backdoors or malware.
  8. The attacker could exfiltrate sensitive information or disrupt device operations.

Impact

Successful exploitation of CVE-2026-7833 allows a remote attacker to execute arbitrary commands on the EFM ipTIME C200 device. This could lead to complete compromise of the device, including unauthorized access to the device’s configuration, data, and network. Given the device’s role as a network gateway, successful exploitation could also allow the attacker to pivot to other devices on the internal network. The lack of vendor response exacerbates the risk.

Recommendation

  • Apply network access control lists to restrict access to the /cgi/iux_set.cgi endpoint from untrusted networks.
  • Monitor web server logs for suspicious POST requests targeting the /cgi/iux_set.cgi endpoint with unusual RestoreFile arguments. Deploy the Sigma rule to detect command injection attempts.
  • Utilize vulnerability scanning tools to identify potentially vulnerable EFM ipTIME C200 devices on the network.

Detection coverage 2

Detect Command Injection Attempts via RestoreFile Argument

critical

Detects potential command injection attempts by monitoring POST requests to the /cgi/iux_set.cgi endpoint with suspicious characters in the RestoreFile argument.

sigma tactics: execution techniques: T1059.004 sources: webserver, linux

Detect access to iux_set.cgi

medium

Detects access to /cgi/iux_set.cgi which could be related to exploitation of CVE-2026-7833.

sigma tactics: execution techniques: T1059.004 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →