{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/efm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7834"}],"_cs_exploited":false,"_cs_products":["ipTIME NAS1dual 1.5.24"],"_cs_severities":["critical"],"_cs_tags":["stack-based-buffer-overflow","cve-2026-7834","iptime","nas","webserver"],"_cs_type":"advisory","_cs_vendors":["EFM"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability has been identified in EFM ipTIME NAS1dual version 1.5.24. The vulnerability resides within the \u003ccode\u003eget_csrf_whites\u003c/code\u003e function of the \u003ccode\u003e/cgi/advanced/misc_main.cgi\u003c/code\u003e file. Successful exploitation of this vulnerability allows a remote attacker to potentially execute arbitrary code on the affected device. Public exploits targeting this flaw are available, increasing the risk of widespread exploitation. The vendor, EFM, has been notified about the vulnerability but has not provided a response or patch as of this writing. This lack of responsiveness exacerbates the threat posed by this vulnerability, making it critical for users to implement mitigating measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable EFM ipTIME NAS1dual device running firmware version 1.5.24.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/cgi/advanced/misc_main.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an overly long string that overflows the buffer allocated for the \u003ccode\u003eget_csrf_whites\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory regions on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the overwritten return address to point to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eget_csrf_whites\u003c/code\u003e function returns, transferring control to the attacker-specified address.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the NAS device, enabling them to install malware, steal data, or pivot to other network resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an attacker complete control over the affected EFM ipTIME NAS1dual device. This could lead to sensitive data stored on the NAS being compromised, the device being used as a bot in a botnet, or the device being held for ransom. Given the high CVSS score of 9.8, the impact is considered critical. Since public exploits are available, mass exploitation is a significant risk for unpatched devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/cgi/advanced/misc_main.cgi\u003c/code\u003e containing abnormally long strings (see Sigma rule \u003ccode\u003eDetect Suspicious URI Length\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to \u003ccode\u003e/cgi/advanced/misc_main.cgi\u003c/code\u003e to mitigate potential brute-force exploitation attempts (see Sigma rule \u003ccode\u003eDetect High Volume Requests to Vulnerable Endpoint\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to block requests with overly long inputs to the \u003ccode\u003eget_csrf_whites\u003c/code\u003e function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T14:16:09Z","date_published":"2026-05-05T14:16:09Z","id":"/briefs/2026-05-iptime-nas1dual-overflow/","summary":"A stack-based buffer overflow vulnerability exists in EFM ipTIME NAS1dual 1.5.24, affecting the get_csrf_whites function in /cgi/advanced/misc_main.cgi, exploitable remotely, and leading to potential arbitrary code execution.","title":"EFM ipTIME NAS1dual Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-iptime-nas1dual-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7833"}],"_cs_exploited":false,"_cs_products":["ipTIME C200"],"_cs_severities":["critical"],"_cs_tags":["command injection","iot","cve-2026-7833"],"_cs_type":"threat","_cs_vendors":["EFM"],"content_html":"\u003cp\u003eA critical command injection vulnerability, CVE-2026-7833, affects EFM ipTIME C200 devices up to version 1.092. The vulnerability resides within the \u003ccode\u003esub_408F90\u003c/code\u003e function of the \u003ccode\u003e/cgi/iux_set.cgi\u003c/code\u003e file, specifically the ApplyRestore Endpoint. By manipulating the \u003ccode\u003eRestoreFile\u003c/code\u003e argument, an attacker can inject arbitrary commands that will be executed on the device. The vulnerability can be exploited remotely and proof-of-concept exploit code is publicly available. The vendor was notified but did not respond, increasing the risk to users of these devices. This vulnerability allows for complete system compromise of affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/cgi/iux_set.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eRestoreFile\u003c/code\u003e argument containing a command injection payload within the \u003ccode\u003eApplyRestore\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esub_408F90\u003c/code\u003e function processes the \u003ccode\u003eRestoreFile\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected command is executed with the privileges of the webserver process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to internal network if the device acts as a gateway.\u003c/li\u003e\n\u003cli\u003eThe attacker may install persistent backdoors or malware.\u003c/li\u003e\n\u003cli\u003eThe attacker could exfiltrate sensitive information or disrupt device operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7833 allows a remote attacker to execute arbitrary commands on the EFM ipTIME C200 device. This could lead to complete compromise of the device, including unauthorized access to the device\u0026rsquo;s configuration, data, and network. Given the device\u0026rsquo;s role as a network gateway, successful exploitation could also allow the attacker to pivot to other devices on the internal network. The lack of vendor response exacerbates the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply network access control lists to restrict access to the \u003ccode\u003e/cgi/iux_set.cgi\u003c/code\u003e endpoint from untrusted networks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting the \u003ccode\u003e/cgi/iux_set.cgi\u003c/code\u003e endpoint with unusual \u003ccode\u003eRestoreFile\u003c/code\u003e arguments. Deploy the Sigma rule to detect command injection attempts.\u003c/li\u003e\n\u003cli\u003eUtilize vulnerability scanning tools to identify potentially vulnerable EFM ipTIME C200 devices on the network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T13:16:31Z","date_published":"2026-05-05T13:16:31Z","id":"/briefs/2026-05-iptime-c200-cmd-injection/","summary":"EFM ipTIME C200 devices are vulnerable to remote command injection due to insufficient validation of the RestoreFile argument in the /cgi/iux_set.cgi endpoint, allowing attackers to execute arbitrary commands with elevated privileges.","title":"EFM ipTIME C200 Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-iptime-c200-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — EFM","version":"https://jsonfeed.org/version/1.1"}