MidnightBSD

Advisories for iptime

CVE-2020-7847 MEDIUM

The ipTIME NAS product allows an arbitrary file upload vulnerability in the Manage Bulletins/Upload feature, which can be leveraged to gain remote code execution. This issue affects: pTIME NAS 1.4.36.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vuln@krcert.or.kr 7.4 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.5 5.9
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,CWE-434,

Products Affected

Vendor Product Version
iptime nas101_firmware *
iptime nas-i_firmware *
iptime nas1dual_firmware *
iptime nas3_firmware *
iptime nas-ii_firmware *
iptime nas2dual_firmware *
iptime nas-iie_firmware *
iptime nas4dual_firmware *
iptime nas4_firmware *
CVE-2020-7848 HIGH

The EFM ipTIME C200 IP Camera is affected by a Command Injection vulnerability in /login.cgi?logout=1 script. To exploit this vulnerability, an attacker can send a GET request that executes arbitrary OS commands via cookie value.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9
vuln@krcert.or.kr 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-77,

Products Affected

Vendor Product Version
iptime c200_firmware 1.0.12
CVE-2020-7879 MEDIUM

This issue was discovered when the ipTIME C200 IP Camera was synchronized with the ipTIME NAS. It is necessary to extract value for ipTIME IP camera because the ipTIME NAS send ans setCookie('[COOKIE]') . The value is transferred to the --header option in wget binary, and there is no validation check. This vulnerability allows remote attackers to execute remote command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vuln@krcert.or.kr 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
iptime c200_firmware *
CVE-2021-26614 HIGH

ius_get.cgi in IpTime C200 camera allows remote code execution. A remote attacker may send a crafted parameters to the exposed vulnerable web service interface which invokes the arbitrary shell command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
vuln@krcert.or.kr 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-749,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
iptime c200_firmware *
CVE-2021-26620 MEDIUM

An improper authentication vulnerability leading to information leakage was discovered in iptime NAS2dual. Remote attackers are able to steal important information in the server by exploiting vulnerabilities such as insufficient authentication when accessing the shared folder and changing user’s passwords.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vuln@krcert.or.kr 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
iptime nas101_firmware *
iptime nas-i_firmware *
iptime nas1dual_firmware *
iptime nas3_firmware *
iptime nas-ii_firmware *
iptime nas2dual_firmware *
iptime nas-iie_firmware *
iptime nas4dual_firmware *
iptime nas4_firmware *
CVE-2022-23765

This vulnerability occured by sending a malicious POST request to a specific page while logged in random user from some family of IPTIME NAS. Remote attackers can steal root privileges by changing the password of the root through a POST request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vuln@krcert.or.kr 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.1 5.9
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
iptime nas1dual_firmware *
iptime nas2dual_firmware *
iptime nas4dual_firmware *
CVE-2022-23771

This vulnerability occurs in user accounts creation and deleteion related pages of IPTIME NAS products. The vulnerability could be exploited by a lack of validation when a POST request is made to this page. An attacker can use this vulnerability to or delete user accounts, or to escalate arbitrary user privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
vuln@krcert.or.kr 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
iptime nas1dual_firmware *
iptime nas2dual_firmware *
iptime nas4dual_firmware *
CVE-2025-50464

A buffer overflow vulnerability exists in the upload.cgi module of the iptime NAS firmware v1.5.04. The vulnerability arises due to the unsafe use of the strcpy function to copy attacker-controlled data from the CONTENT_TYPE HTTP header into a fixed-size stack buffer (v8, allocated 8 bytes) without bounds checking. Since this operation occurs before authentication logic is executed, the vulnerability is exploitable pre-authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
iptime nas_firmware 1.5.04
CVE-2025-55423

A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection.

Products Affected

Vendor Product Version
iptime a104r_firmware -
iptime n604rplus_firmware *
iptime n604t_firmware *
iptime n804t_firmware *
iptime a2008_firmware *
iptime t16000_firmware *
iptime t24000_firmware *
iptime a2004plus_firmware *
iptime a604g-mu_firmware *
iptime ax11000_firmware *
iptime n104q-i_firmware *
iptime n604s_firmware *
iptime n2e_firmware *
iptime a9004m-x2_firmware *
iptime t3004_firmware *
iptime a6ns-m_firmware *
iptime n8004r_firmware *
iptime a3004ns-dual_firmware *
iptime n1e_firmware *
iptime t16000m_firmware *
iptime n702e_firmware *
iptime a604r_firmware *
iptime a7ns_firmware *
iptime n104plus_firmware *
iptime a3004-dual_firmware *
iptime n1v_firmware *
iptime a1004v_firmware *
iptime n8004v_firmware *
iptime a1_firmware *
iptime n804_firmware *
iptime t24000m_firmware *
iptime a2004ns_firmware *
iptime a604-v5_firmware *
iptime n104e_firmware *
iptime n804v_firmware *
iptime n104v_firmware *
iptime n704bcm_firmware *
iptime a8ns-m_firmware *
iptime n3-i_firmware *
iptime ax3004itl_firmware *
iptime a8004ns-m_firmware *
iptime n604plus-i_firmware *
iptime n702bcm_firmware *
iptime n602se_firmware *
iptime n600_firmware *
iptime n604a_firmware *
iptime n904v_firmware *
iptime a3004tw_firmware *
iptime a3004ns_firmware *
iptime a2004r_firmware *
iptime a2004se_firmware *
iptime n2plus_firmware *
iptime n1plus-i_firmware *
iptime v504_firmware *
iptime n602eplus_firmware *
iptime n604tplus_firmware *
iptime a304_firmware *
iptime n104s-r1_firmware *
iptime a604v_firmware *
iptime n604se_firmware *
iptime a104ns_firmware *
iptime a1004_firmware *
iptime n102iplus_firmware *
iptime a5004ns_firmware *
iptime n604vplus_firmware *
iptime a2004_firmware *
iptime q504_firmware 9.91.2
iptime n7004ns_firmware 9.91.2
iptime a1004ns_firmware *
iptime a6004ns_firmware *
iptime v304_firmware 9.91.2
iptime a2003ns-mu_firmware *
iptime n702r_firmware *
iptime n6_firmware *
iptime a5004ns-m_firmware *
iptime n604plus_firmware *
iptime n2eplus_firmware *
iptime n102i_firmware *
iptime n904plus_firmware *
iptime n604r_firmware *
iptime ax8004bcm_firmware *
iptime a2004ns-mu_firmware *
iptime n604e_firmware *
iptime ax3004bcm_firmware *
iptime a3004m_firmware *
iptime a9004m_firmware *
iptime n2plus-i_firmware *
iptime a604se_firmware *
iptime n604rplus-i_firmware *
iptime a3004t_firmware *
iptime n102e_firmware *
iptime n104r_firmware *
iptime a2003mu_firmware *
iptime n604_black_firmware *
iptime n104plus-i_firmware *
iptime n1plus_firmware *
iptime a604-v3_firmware *
iptime n104eplus_firmware *
iptime t5004_firmware *
iptime q1_firmware 9.91.2
iptime n5_firmware *
iptime ew302n_firmware *
iptime n102eplus_firmware *
iptime n704-a3_firmware *
iptime a8004bcm_firmware *
iptime n704e_firmware *
iptime n604v_firmware *
iptime t3008_firmware *
iptime a3003ns_firmware *
iptime a3004ns-m_firmware *
iptime n602e_firmware *
iptime ax2004bcm_firmware *
iptime n704qca_firmware *
iptime n804r_firmware *
iptime ax2004_firmware *
iptime a6004ns-m_firmware *
iptime a6004mx_firmware *
iptime n5-i_firmware *
iptime a3002mesh_firmware *
iptime a3004ns-bcm_firmware *
iptime n104k_firmware *
iptime a804ns-mu_firmware *
iptime a8004t-xr_firmware *
iptime n704ns_firmware *
iptime n604eplus_firmware *
iptime n704v3_firmware *
iptime n2vs_firmware 12.16.8
iptime a3004_firmware *
iptime a2004nsplus_firmware *
iptime ax8004m_firmware *
iptime a604mu_firmware *
iptime q304_firmware 9.91.2
iptime n6004r_firmware *
iptime a2004ns-r_firmware *
iptime n104_black_firmware *
iptime a7004m_firmware *
iptime n104q_firmware *
iptime a2004mu_firmware *
iptime a604g-skylife_firmware *
iptime ax2004m_firmware *
iptime a104_firmware *
iptime n702eplus_firmware *
iptime a604m_firmware *
iptime n3_firmware *
iptime a8004itl_firmware *
iptime n904_firmware *
iptime n704eplus_firmware *
iptime ax8008m_firmware *
iptime t5008_firmware *
iptime q604_firmware 9.91.2
iptime a704ns-bcm_firmware *
iptime n804a_firmware *
iptime ax2002mesh_firmware *
iptime a104r_firmware *
iptime v508_firmware *
iptime n804t3_firmware *
iptime a3008-mu_firmware *
iptime a8004t_firmware *
iptime smart_firmware *
iptime n904ns_firmware *
iptime n804a3_firmware *
iptime n2v_firmware *
iptime a3_firmware *
iptime a604_firmware *
CVE-2026-1740 HIGH

A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
iptime a8004t_firmware 14.18.2
CVE-2026-1741 MEDIUM

A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpcon_check_session_url of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 6.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-912,

Products Affected

Vendor Product Version
iptime a8004t_firmware 14.18.2
CVE-2026-1742 MEDIUM

A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-434,CWE-434,

Products Affected

Vendor Product Version
iptime a8004t_firmware 14.18.2
CVE-2026-24498

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in EFM-Networks, Inc. IpTIME T5008, EFM-Networks, Inc. IpTIME AX2004M, EFM-Networks, Inc. IpTIME AX3000Q, EFM-Networks, Inc. IpTIME AX6000M allows Authentication Bypass.This issue affects ipTIME T5008: through 15.26.8; ipTIME AX2004M: through 15.26.8; ipTIME AX3000Q: through 15.26.8; ipTIME AX6000M: through 15.26.8.

Products Affected

Vendor Product Version
iptime t5008_firmware *
iptime ax6000m_firmware *
iptime ax2004m_firmware *
iptime ax3000q_firmware *