IntegSec - Next Level Cybersecurity

CVE-2026-6074: Intrado 911 Emergency Gateway Path Traversal - What It Means for Your Business and How to Respond

Written by Mike Chamberland | 5/2/26 12:00 PM

CVE-2026-6074: Intrado 911 Emergency Gateway Path Traversal - What It Means for Your Business and How to Respond

CVE-2026-6074 represents a critical vulnerability in critical infrastructure that could disrupt emergency response operations across the United States and Canada. Businesses relying on 911 systems, particularly public safety organizations, emergency service providers, and enterprises with integrated telephony, face heightened risks of service outages and data compromise. This post explains the business implications, helps you assess exposure, and provides actionable steps to protect your operations, with technical details reserved for your security team in the appendix.

S1 — Background & History

CVE-2026-6074 was publicly disclosed on April 23, 2026, through the National Vulnerability Database, following an advisory from ICS-CERT under CISA ICSA-26-113-06. The vulnerability affects the Intrado 911 Emergency Gateway (EGW), a key system used by public safety answering points (PSAPs) to route 911 calls and location data between telecom networks and dispatch centers in the US and Canada.

Intrado released a software patch on March 2, 2026, after internal discovery, notifying affected customers to coordinate deployment. The flaw carries a CVSS v4.0 base score of 9.3 (Critical) from ICS-CERT, reflecting its potential for high-impact file manipulation without authentication. It stems from a path traversal issue, where attackers manipulate file paths to access restricted areas, a common yet dangerous flaw in network appliances. Key timeline events include vendor patching in early March, CISA advisory issuance on April 22, and NVD publication the next day, underscoring rapid government response to protect emergency services.

S2 — What This Means for Your Business

This vulnerability puts your emergency communications at direct risk, potentially halting 911 call routing and location services during crises. If exploited, attackers with network access can read, alter, or delete critical configuration files, leading to system downtime that delays police, fire, or medical responses and endangers lives.

Operationally, you could face prolonged outages in high-stakes environments, straining backup plans and increasing liability exposure under regulations like the U.S. Next Generation 911 (NG911) standards or Canada's CRTC emergency service rules. Data breaches might expose caller details or PSAP configurations, inviting regulatory fines from bodies such as the FCC or provincial authorities, alongside class-action lawsuits from affected communities.

Reputationally, any disruption tied to your infrastructure erodes public trust in your ability to handle emergencies, damaging partnerships with carriers and government agencies. Compliance failures could trigger audits or contract losses, while recovery costs mount from expedited patching and forensic investigations. You must prioritize this to safeguard continuity and demonstrate due diligence to stakeholders.

S3 — Real-World Examples

Regional PSAP Outage: A mid-sized U.S. public safety answering point experiences a network probe that exploits the flaw, corrupting routing tables. 911 calls fail to reach dispatchers for hours, delaying responses to multiple incidents and prompting emergency mutual aid from neighboring counties.

Municipal Emergency Network Disruption: In a Canadian city, the local government's integrated 911 gateway falls victim during routine network maintenance. Attackers delete key logs and configs, forcing a full system rebuild that sidelines services for a day and exposes sensitive caller data to potential ransom demands.

Enterprise Telephony Provider Hit: A large telecom firm serving enterprise clients sees its backup EGW compromised via an internal network pivot. File modifications disrupt text-to-911 features, leading to failed alerts from corporate campuses and regulatory scrutiny over service reliability.

Small Rural Dispatch Center Impact: A rural U.S. county's sole EGW is targeted after a phishing incident grants network foothold. The breach erases historical call records, complicating investigations and insurance claims while the center scrambles with manual routing, straining limited staff resources.

S4 — Am I Affected?

  • You operate Intrado 911 Emergency Gateway versions 5.x, 6.x, or 7.x in your PSAP or carrier network.

  • Your organization provides or integrates with NG911 or legacy 911 services in the US or Canada using EGW for call routing.

  • The EGW management interface is accessible from internal networks without strict segmentation or firewalls.

  • You have not applied Intrado's March 2, 2026, software update or coordinated patching with vendor support.

  • Your network includes shared segments between business systems and emergency infrastructure, allowing lateral movement.

  • Logs show no recent audits for path traversal attempts like "../" patterns on EGW ports.

Key Takeaways

  • CVE-2026-6074 enables unauthenticated attackers to manipulate files in Intrado 911 EGW, threatening emergency call routing nationwide.

  • You risk operational downtime, data loss, regulatory penalties, and reputational harm if your systems remain unpatched.

  • Public safety providers and carriers must verify affected versions 5.x through 7.x and apply vendor fixes immediately.

  • Network segmentation and access controls serve as vital interim defenses until full remediation.

  • Engage experts like IntegSec to assess exposure and strengthen your overall cybersecurity posture.

Call to Action

Contact IntegSec today at https://integsec.com for a targeted penetration test of your 911 infrastructure. Our team delivers comprehensive risk assessments and customized hardening strategies to minimize disruptions and ensure compliance. Secure your operations with proven expertise; schedule your consultation now.

TECHNICAL APPENDIX (security engineers, pentesters, IT professionals only)

A — Technical Analysis

The root cause lies in inadequate input validation within the EGW management interface's file handling component, permitting directory traversal sequences like "../" or ".../...//". This CWE-35 (Path Traversal: '.../...//') flaw allows network-adjacent attackers to bypass authentication and reach arbitrary files.

The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N) required. Exploitation grants high confidentiality, integrity, and availability impacts (VC:H/VI:H/VA:H). The CVSS v4.0 vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, yielding a 9.3 critical score per ICS-CERT. Reference the NVD page at https://nvd.nist.gov/vuln/detail/CVE-2026-6074 and CISA ICSA-26-113-06 for full details.

B — Detection & Verification

Version Enumeration:

  • Query EGW via HTTP: curl -s -I http://<EGW_IP>/management | grep -i version or check response headers for "EGW/5.x", "6.x", "7.x".

  • Use Nmap scripting: nmap -p 80,443 --script http-title,http-headers <EGW_IP> to identify banners.

Scanner Signatures and Indicators:

  • Nessus/Tenable plugin for ICSA-26-113-06; OpenVAS checks for path traversal in Intrado EGW.

  • Log anomalies: Unauthorized 200 OK on /management paths; file access errors in EGW syslog for paths containing "../".

Behavioral and Network Indicators:

  • Traffic spikes with "../", "%2e%2e%2f", or ".../...//" in URI payloads to management ports.

  • Unexpected file reads/writes in audit logs; system calls to open() outside web root; entropy changes in config directories.

C — Mitigation & Remediation

  1. Immediate (0–24h): Isolate EGW networks behind firewalls; block management interface from untrusted segments. Disable internet-facing access and enforce VPN-only remote admin. Hunt for IOCs like traversal attempts in proxy/IDS logs.

  2. Short-term (1–7d): Apply Intrado's March 2, 2026, patch via vendor support coordination. Verify deployment with version checks and re-scan. Rotate any exposed credentials and monitor for anomalous file mods.

  3. Long-term (ongoing): Segment ICS networks per CISA guidelines; deploy EDR on adjacent systems. Conduct regular pentests focusing on path traversal; input validation audits; zero-trust access for management ports. Update to future EGW releases promptly.

D — Best Practices

  • Sanitize all user-supplied paths with whitelisting and canonicalization before filesystem operations.

  • Deploy web application firewalls (WAF) tuned for traversal patterns like "../" and encoded variants.

  • Principle of least privilege: Run EGW services under restricted accounts without shell access.

  • Enable comprehensive logging of file operations and integrate with SIEM for real-time alerts.

  • Perform routine code reviews and fuzz testing on file-handling endpoints in network appliances.
View full post