• Home
  • cyber
  • Vivotek: Critical Vivotek Vulnerability Allows Remote Users to Inject Arbitrary Code
cyber Vulnerability

Vivotek: Critical Vivotek Vulnerability Allows Remote Users to Inject Arbitrary Code

Jan 22, 2026 2 min read
Vivotek: Critical Vivotek Vulnerability Allows Remote Users to Inject Arbitrary Code

Critical Remote Code Execution Flaw in Vivotek Legacy Cameras Exposes Networks to Root-Level Attacks

Akamai researchers have uncovered a severe remote code execution (RCE) vulnerability in Vivotek’s legacy firmware, tracked as CVE-2026-22755, which allows unauthenticated attackers to execute arbitrary commands with root privileges on affected surveillance cameras.

The flaw resides in the upload_map.cgi script, where unsanitized user-supplied filenames are passed to a system() call via an insecure snprintf() function. By embedding shell metacharacters (e.g., semicolons) in filenames, attackers can inject malicious commands. Exploitation requires five conditions: a file under 5MB, a firmware verification bypass, an intact /usr/sbin/confclient binary, non-standard web server environment variables, and access via upload_map.cgi (not file_manager.cgi).

A proof-of-concept (PoC) demonstrated that setting an environment variable like POST_FILE_NAME="test_firmware.bin; id;" triggers command execution as root (UID 0). Researchers bypassed firmware validation by crafting files with specific magic bytes (FF V FF FF header and FF K FF FF footer).

Affected Models & Firmware
The vulnerability impacts 36 camera models across multiple Vivotek product lines, including:

  • FD8365, FD9165, FD9371 (firmware versions 0100a–0125c)
  • FE9180, FE9191 (0100a–0125c)
  • IB9365, IP9165, IP9171 (0100a–0125c)
  • MA9321, MS9390, TB9330 (0100a–0125c)

Attack Scenario & Impact
An attacker can remotely upload a malicious firmware file with an embedded command in the filename. When processed by the vulnerable script, the payload executes with root privileges, enabling full system compromise, lateral movement, botnet recruitment, or data exfiltration. The flaw poses a critical IoT security risk, particularly for organizations in critical infrastructure, healthcare, and enterprise environments relying on legacy surveillance systems.

Akamai has released a YARA rule to detect exploitation attempts targeting upload_map.cgi with the camid parameter. The vulnerability underscores the dangers of unauthenticated RCE in IoT devices, which can serve as entry points for broader network attacks, including DDoS botnets.

Source: https://cybersecuritynews.com/vivotek-vulnerability/

VIVOTEK cybersecurity rating report: https://www.rankiteo.com/company/vivotekglobal

"id": "VIV1769095561",
"linkid": "vivotekglobal",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Organizations in critical '
                                              'infrastructure, healthcare, and '
                                              'enterprise environments relying '
                                              'on legacy surveillance systems',
                        'industry': 'Surveillance and IoT Devices',
                        'name': 'Vivotek',
                        'type': 'Company'}],
 'attack_vector': 'Unauthenticated remote exploitation via upload_map.cgi '
                  'script',
 'data_breach': {'data_exfiltration': 'Possible data exfiltration'},
 'description': 'Akamai researchers have uncovered a severe remote code '
                'execution (RCE) vulnerability in Vivotek’s legacy firmware, '
                'tracked as CVE-2026-22755, which allows unauthenticated '
                'attackers to execute arbitrary commands with root privileges '
                'on affected surveillance cameras. The flaw resides in the '
                'upload_map.cgi script, where unsanitized user-supplied '
                'filenames are passed to a system() call via an insecure '
                'snprintf() function. Exploitation requires five conditions: a '
                'file under 5MB, a firmware verification bypass, an intact '
                '/usr/sbin/confclient binary, non-standard web server '
                'environment variables, and access via upload_map.cgi (not '
                'file_manager.cgi). A proof-of-concept demonstrated command '
                'execution as root (UID 0).',
 'impact': {'operational_impact': 'Full system compromise, lateral movement, '
                                  'botnet recruitment, or data exfiltration',
            'systems_affected': '36 camera models across multiple Vivotek '
                                'product lines'},
 'lessons_learned': 'The vulnerability underscores the dangers of '
                    'unauthenticated RCE in IoT devices, which can serve as '
                    'entry points for broader network attacks, including DDoS '
                    'botnets.',
 'post_incident_analysis': {'root_causes': 'Unsanitized user-supplied '
                                           'filenames passed to system() call '
                                           'via insecure snprintf() function '
                                           'in upload_map.cgi script'},
 'references': [{'source': 'Akamai Research'}],
 'response': {'enhanced_monitoring': 'YARA rule released to detect '
                                     'exploitation attempts',
              'third_party_assistance': 'Akamai researchers'},
 'title': 'Critical Remote Code Execution Flaw in Vivotek Legacy Cameras '
          'Exposes Networks to Root-Level Attacks',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-22755'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.