A important distant code injection vulnerability in Vivotek legacy firmware that permits unauthenticated attackers to execute arbitrary instructions with root privileges.
The vulnerability, tracked as CVE-2026-22755, impacts dozens of digital camera fashions and poses important dangers to organizations counting on legacy surveillance infrastructure.
The vulnerability exists within the upload_map.cgi script, the place user-supplied filenames are processed by way of an unsanitized snprintf() operate earlier than being handed to the system() name.
This permits attackers to inject shell instructions through specifically crafted filenames that include metacharacters, resembling semicolons.
Vivotek Vulnerability
Akamai researchers found that Vivotek legacy cameras lack password safety by default, eliminating authentication limitations.
The exploit requires 5 particular situations: file measurement below 5MB, firmware verification bypass, and an intact /usr/sbin/confclient binary.
Disassembled code exhibiting consumer enter handed to system() (supply : Akamai)
Non-standard internet server atmosphere variables, and entry by way of upload_map.cgi slightly than file_manager.cgi.
Researchers created a bash script that generates legitimate firmware photographs with correct magic bytes (FF V FF FF header and FF Ok FF FF footer) to bypass validation checks.
By setting atmosphere variables, together with POST_FILE_NAME=”test_firmware.bin; id;”, attackers set off command execution as the basis consumer, as evidenced by proof-of-concept demonstrations wherein the id command confirmed a uid of 0 (root).
Decompiled code exhibiting how cgi-bin script should be known as( supply: Akamai)
The vulnerability impacts 36 digital camera fashions throughout a number of product strains.
Mannequin SeriesAffected FirmwareFD8365, FD9165, FD93710100a–0125cFE9180, FE91910100a–0125cIB9365, IP9165, IP91710100a–0125cMA9321, MS9390, TB93300100a–0125c
Assault State of affairs
An attacker can remotely add a malicious firmware file with an embedded command within the filename.
When processed by the susceptible upload_map.In a CGI script, the shell metacharacter triggers command execution.
The ensuing payload executes with root privileges, enabling full system compromise, lateral community motion, botnet set up, or knowledge exfiltration.
In accordance with Akamai, organizations ought to implement network-level detection utilizing the next YARA rule to establish exploitation makes an attempt:
rule CVE_2026_22755_Vivotek_upload
{
meta:
description = “Detects upload_map.cgi requests with camid parameter”
strings:
$path = “/cgi-bin/admin/upload_map.cgi”
$param = “camid=”
situation:
all of them
}
Prioritize firmware updates for affected digital camera fashions instantly. Implement community segmentation to isolate legacy digital camera infrastructure.
Deploy intrusion detection signatures for malicious upload_map.cgi requests. Conduct stock audits to establish deployed susceptible gadgets.
Monitor for suspicious file uploads and POST requests to digital camera administration interfaces.
This vulnerability represents a important IoT safety threat, notably for organizations working legacy surveillance programs in important infrastructure, healthcare, and enterprise environments.
Unauthenticated distant code execution with root privileges allows full machine compromise and potential community propagation by way of botnet-based distributed denial-of-service assaults.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
