CVE-2026-1740
Published: 02 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-1740 is an improper authentication vulnerability (CWE-287) in the EFM ipTIME A8004T router firmware version 14.18.2. It affects the httpcon_check_session_url function in the /cgi/timepro.cgi file of the Hidden Hiddenloginsetup Interface component.
The vulnerability enables remote exploitation by unauthenticated attackers (AV:N/AC:L/PR:N/UI:N) with low complexity and no user interaction required. Successful attacks result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), earning a CVSS v3.1 base score of 7.3. A public exploit is available and could be used.
Advisories referenced on VulDB (ctiid.343639, id.343639, submit.741422) and a GitHub issue detail the issue, noting that the vendor was contacted early for disclosure but provided no response. No patches or official mitigations are mentioned.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an improper authentication flaw in a public-facing router web interface (/cgi/timepro.cgi), enabling unauthenticated remote exploitation (AV:N/AC:L/PR:N/UI:N), directly mapping to T1190: Exploit Public-Facing Application.