By rssfeeds-admin Assigned CVE-2026-22755, the flaw resides in the upload_map.cgi script and affects dozens of camera models across multiple product lines.
Analysis of the firmware’s passwd file revealed that no default passwords are configured, making exploitation trivial for unauthenticated remote users.
Vulnerability Details
The vulnerability stems from improper input validation in the filename parameter passed to upload_map.cgi.
The vulnerable code uses the snprintf() function to format a shell command string (“mv %s %s”) with user-supplied input, which is subsequently passed to the system() function without sanitization.
By injecting shell metacharacters, specifically semicolons, into the filename, attackers can break out of the intended command and execute arbitrary system commands as the root user.
The snprintf() function concatenates user input directly into a command string destined for system() execution, enabling classic command injection.
An attacker supplying a filename like test_firmware.bin;id; this causes the shell to execute the injected id command after the legitimate move operation fails
Successful exploitation requires five specific conditions:
- File size under 5 MB
- Uploaded binary must pass firmware verification (checks for magic bytes: FF V FF FF at start, FF K FF FF at end)
- /usr/sbin/confclient binary must return: capability_remotecamctrl_master=1
- Boa web server must use nonstandard environment variables for CGI-bin data passing
- Script must be called via upload_map.cgi (not file_manager.cgi, which implements access checks)
The researchers developed a bash script that creates minimal firmware files with valid magic bytes and padding, successfully bypassing verification checks. Environment variables (REQUEST_METHOD=POST, CONTENT_LENGTH, QUERY_STRING, POST_FILE_NAME) are configured to trigger exploitation on ARM architecture emulators.
During testing, the researchers executed the id command through the injected filename parameter. The resulting output confirmed command execution as root:
textuid=0(root) gid=0(root) groups=0(root)
System call tracing via strace confirmed successful command execution, with the shell parsing the semicolon delimiter and executing the injected payload.
Over 33 camera models are impacted, including the FD, FE, IB, IP, IT, MA, MS, and TB series. Vulnerable firmware versions range from 0100a through 0125c, encompassing legacy and end-of-life product lines still deployed in production environments.
Detection: Deploy the provided YARA rule to identify exploit attempts targeting /cgi-bin/admin/upload_map.cgi with camid parameters.
Remediation: Implement immediate input validation on all filename parameters. Sanitize or restrict uploads to authorized directories. Vendors should release patched firmware versions, prioritizing legacy devices still in active deployment.
This vulnerability underscores critical security deficiencies in IoT device firmware development. Organizations operating affected Vivotek cameras should prioritize updates and implement network segmentation to minimize exploitation risk.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical Vivotek Vulnerability Allows Remote Attackers to Inject Arbitrary Code appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.