A critical security flaw has been discovered in Intrado's 911 Emergency Gateway, a system used by public safety answering points (PSAPs) across the United States. The vulnerability, tracked as CVE-2026-6074, carries a CVSS score of 9.1 out of 10, placing it firmly in the "critical" category. An attacker with existing network access could exploit a path traversal issue to reach the management interface without authentication, then read, modify, or delete sensitive configuration files.

What Is CVE-2026-6074?

CVE-2026-6074 is a path traversal vulnerability affecting Intrado's 911 Emergency Gateway. Path traversal, also known as directory traversal, allows an attacker to access files and directories stored outside the intended web root folder. By manipulating variables that reference files with "dot-dot-slash" sequences (e.g., ../), an attacker can escape the restricted file system area.

In this specific case, the flaw resides in the web management interface of the gateway. An unauthenticated attacker who already has network access to the device can send specially crafted HTTP requests to traverse directories and read arbitrary files. Worse, the attacker may also be able to modify or delete configuration files, potentially disrupting emergency call routing or exfiltrating sensitive network data.

Technical Breakdown

The vulnerability affects all versions of the Intrado 911 Emergency Gateway prior to the latest patch. The web server component fails to properly sanitize user-supplied input in file path parameters. By injecting path traversal sequences, an attacker can bypass authentication checks and access system files.

For example, a request like GET /../../../etc/passwd might return the contents of the password file if the server does not validate the path. While the exact exploit details are withheld to give administrators time to patch, the CVE entry confirms that the attack complexity is low and requires no special privileges beyond network access.

Impact on Emergency Services

Intrado's 911 Emergency Gateway is a critical piece of infrastructure for emergency call handling. It routes 911 calls from the public switched telephone network to the appropriate PSAP, and it manages location data and call routing rules. A compromised gateway could lead to:

  • Call misrouting: An attacker could alter configuration files to send 911 calls to a non-existent or malicious destination.
  • Service disruption: Deleting critical files could cause the gateway to fail, preventing 911 calls from being processed.
  • Data theft: Configuration files often contain network topology, IP addresses, and other sensitive information that could aid further attacks.

Given that 911 systems are considered part of the U.S. critical infrastructure, the potential for real-world harm is significant.

Affected Versions and Patch Status

Intrado has released a security update to address CVE-2026-6074. The company urges all customers to apply the patch immediately. Affected versions include all releases before the patch date. Administrators should check their device firmware version and compare it against the patched version listed in Intrado's advisory.

Mitigation Steps

For organizations that cannot immediately apply the patch, Intrado recommends the following mitigations:

  1. Restrict network access: Ensure that the management interface is only accessible from trusted internal networks, and not exposed to the internet or untrusted zones.
  2. Use firewall rules: Block HTTP requests to the management interface from any IP addresses that do not require administrative access.
  3. Monitor logs: Watch for unusual HTTP requests containing path traversal patterns (e.g., ../, %2e%2e%2f).
  4. Change default credentials: If the gateway uses default passwords, change them immediately to strong, unique passwords.

Industry Reaction

Security researchers have raised concerns about the vulnerability's CVSS score and the slow adoption of patches in the emergency services sector. Many PSAPs operate with limited IT staff and may not have robust patch management processes. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6074 to its Known Exploited Vulnerabilities catalog, signaling that active exploitation is possible.

Bottom Line

CVE-2026-6074 is a serious threat to emergency communication infrastructure. The vulnerability allows an attacker with network access to fully compromise the 911 Emergency Gateway without authentication. Administrators must prioritize patching, restrict access to the management interface, and monitor for signs of exploitation. The safety of 911 callers depends on swift action.