Description
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device.
Published: 2026-06-12
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS Command Injection flaw in IEI Integration Corp's iVEC TANK-XM811 allows a privileged remote attacker to run arbitrary operating system commands on the device, compromising confidentiality, integrity, and availability of the affected system. This weakness corresponds to CWE-78 and grants the attacker full control over the host operating system when exploited. The vulnerability can be used to steal configuration data, alter device behavior, or pivot within the network.

Affected Systems

Affects IEI Integration Corp’s iVEC TANK-XM811 product. Specific firmware or build versions are not documented in the public advisory, so the impact applies to any deployed instance of the listed hardware that has not applied a vendor update.

Risk and Exploitability

The reported CVSS score of 8.6 indicates a high severity risk. EPSS data is not available, so the current likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not have known active exploitation. However, the remote nature of the attack vector and the privileged access required imply that once an attacker gains network reach to the device, they can moderately easily exploit the flaw to execute arbitrary commands.

Generated by OpenCVE AI on June 12, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update or vendor patch provided by IEI Integration Corp to remediate the command injection flaw.
  • Restrict network exposure by placing the device behind a firewall or VLAN that limits inbound traffic to only trusted management systems.
  • Disable or isolate any unused services and interfaces that could provide the injection surface, and employ strict input validation mechanisms for trusted command interfaces.

Generated by OpenCVE AI on June 12, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Iei Integration Corp
Iei Integration Corp ivec Tank-xm811
Vendors & Products Iei Integration Corp
Iei Integration Corp ivec Tank-xm811

Fri, 12 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device.
Title IEI Integration Corp|iVEC-IEI Virtualization Edge Computer - OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Iei Integration Corp Ivec Tank-xm811
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-06-12T11:03:17.259Z

Reserved: 2026-06-10T07:50:57.806Z

Link: CVE-2026-11845

cve-icon Vulnrichment

Updated: 2026-06-12T11:03:01.771Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T10:16:21.617

Modified: 2026-06-12T16:00:18.860

Link: CVE-2026-11845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:50Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')