EFM ipTIME C200 Vulnerability: Remote Command Injection Exposed
A critical vulnerability, tracked as CVE-2026-7833, has been identified in EFM ipTIME C200 devices running firmware versions up to 1.092. According to the National Vulnerability Database, this flaw resides in the sub_408F90 function within the /cgi/iux_set.cgi component, specifically at the ApplyRestore Endpoint. The vulnerability is a command injection, triggered by manipulating the RestoreFile argument.
This is a severe issue, rated 7.2 (HIGH) on the CVSS scale, as it allows for remote command injection. The National Vulnerability Database confirms that an exploit for this vulnerability is publicly available, significantly increasing the risk of widespread attacks. The vendor, EFM, was reportedly contacted prior to disclosure but has not responded.
For defenders, this means any unpatched EFM ipTIME C200 devices are immediately exposed to remote attackers. The public exploit lowers the bar for exploitation, making these devices prime targets for initial access. Attackers can leverage this to gain full control over the router, pivot into internal networks, or launch further attacks.
What This Means For You
- If your organization uses EFM ipTIME C200 routers, immediately verify your firmware version. Any device running version 1.092 or earlier is vulnerable to remote command injection. Isolate these devices if patching is not an immediate option, and monitor network traffic for any anomalous activity originating from or targeting these routers.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7833: EFM ipTIME C200 Remote Command Injection via ApplyRestore Endpoint
title: CVE-2026-7833: EFM ipTIME C200 Remote Command Injection via ApplyRestore Endpoint
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7833 by targeting the ApplyRestore endpoint (/cgi/iux_set.cgi) with a RestoreFile parameter. This is a critical initial access vector for remote command injection.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7833/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cgi/iux_set.cgi'
cs-uri-query|contains:
- 'RestoreFile='
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7833 | Vulnerability | CVE-2026-7833 |
| CVE-2026-7833 | Affected Product | EFM ipTIME C200 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7834: Critical Stack-Based Buffer Overflow in EFM ipTIME NAS1dual
CVE-2026-7834 — A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function get_csrf_whites of the file /cgi/advanced/misc_main.cgi. Such manipulation...
CVE-2026-7778 — An issue that could allow a dashboard configuration to be
CVE-2026-7778 — An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is...
WeePie Cookie Allow Plugin SQLi Risks Unauthenticated Database Access
CVE-2026-4304 — The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including,...