CVE-2026-6074: Unauthenticated Path Traversal in Intrado 911 Emergency Gateway Threatens PSAP Call Routing

CISA published ICS advisory ICSA-26-113-06 on April 23 2026, disclosing CVE-2026-6074 — a path traversal vulnerability in the Intrado 911 Emergency Gateway (EGW) management interface affecting versions 5.x through 7.x. The vulnerability carries a CVSS 3.1 base score of 9.1 (Critical) and requires no authentication to exploit, only network access to the management interface.

Technical Details

The flaw allows an unauthenticated attacker to traverse directory paths outside the web root of the management interface, gaining arbitrary file read, write, and delete access to the underlying operating system. No credentials, prior session, or authenticated context are required.

Intrado released a patch addressing CVE-2026-6074 on March 2 2026 and has been directly contacting Public Safety Answering Point (PSAP) customers to coordinate remediation. CISA published the advisory 54 days after the patch release — a timeline that typically indicates difficulty reaching all affected customers through direct vendor notification alone.

What Is the Intrado 911 Emergency Gateway

The 911 Emergency Gateway is a Next Generation 911 (NG911) platform deployed by public safety communications centres to manage emergency call routing, PSAP-to-PSAP transfers, and Geographic Information System (GIS)-based call routing logic. It acts as the authoritative layer determining which PSAP receives a 911 call based on the caller’s location — the core function of any NG911 infrastructure.

Attack Scenarios

Arbitrary file write access on a 911 routing gateway introduces three distinct attack vectors:

Call routing manipulation. Modifying GIS routing configuration files could redirect 911 calls from one PSAP to another, or to no PSAP at all, in targeted geographic areas. This could prevent emergency calls from reaching the appropriate PSAP during an attack.

Persistent management access. Writing a web shell or modifying application configuration files provides persistent administrative control over the gateway without requiring ongoing exploitation of the vulnerability.

Service disruption. Deleting critical runtime or configuration files could disable call processing entirely, preventing 911 calls from being routed while the system is repaired or restored.

Exposure Context

The EGW management interface is designed to be accessible only from within the PSAP operator’s network. However, two realistic paths to exploitation exist: internet-exposed management interfaces on misconfigured PSAPs, and attackers who have obtained an initial foothold on the PSAP operations network through phishing or credential compromise. NG911 systems are increasingly interconnected through Emergency Services IP Networks (ESINet); lateral movement between PSAPs is a realistic secondary objective for a motivated attacker who achieves access to one PSAP’s management network.

Recommended Actions

• Apply the Intrado patch immediately if not yet installed — contact Intrado support directly if the update has not been received; coordinate through your state 911 programme office if direct vendor contact is unavailable.
• Confirm the EGW management interface is not internet-exposed — validate firewall rules restrict access to authorised PSAP administration networks only.
• Segment EGW management traffic from general PSAP operational networks using VLANs or access control lists.
• Audit the EGW file system using Intrado’s provided integrity verification tools to detect signs of pre-patch exploitation.
• Review ESINet access controls — confirm inter-PSAP routing connections cannot provide lateral access to the management interface from a compromised neighbouring PSAP’s network.
• Notify your state 911 coordinator or NG911 programme office if direct Intrado outreach has not been received — state-level coordination can accelerate patch deployment across smaller, less-resourced PSAPs.