Description
A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries.
Published: 2026-06-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in the motion_privacy.cgi binary of VIVOTEK FD8136 firmware FD8136-VVTK-0300a. An authenticated remote attacker can send a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoints (all symlinks to the same binary) with an oversized n1 parameter. The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register, and the binary lacks stack canaries. The resulting vulnerability allows arbitrary code execution with root privileges.

Affected Systems

Only VIVOTEK FD8136 devices that are running firmware version FD8136-VVTK-0300a are affected. This firmware hosts the motion_privacy.cgi binary and the CGI endpoints mentioned in the description.

Risk and Exploitability

The potential impact is severe; an attacker who can authenticate to the device can run arbitrary code as root, compromising the entire camera system. The CVSS score is 6.3, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. The absence of mitigation mechanisms such as stack canaries increases the likelihood of exploitation in a targeted context.

Generated by OpenCVE AI on June 3, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement a firmware update from VIVOTEK that addresses the buffer overflow in the motion_privacy.cgi binary.
  • Limit access to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, and /cgi-bin/admin/setmd_profile.cgi endpoints to trusted IP addresses or internal networks.
  • Block or filter HTTP POST requests that contain an oversized n1 parameter before they reach the camera, using firewall or network security appliances.

Generated by OpenCVE AI on June 3, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Vivotek fd8136 Firmware
CPEs cpe:2.3:h:vivotek:fd8136:-:*:*:*:*:*:*:*
cpe:2.3:o:vivotek:fd8136_firmware:0300a:*:*:*:*:*:*:*
Vendors & Products Vivotek fd8136 Firmware

Wed, 03 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Buffer Overflow in VIVOTEK Camera Firmware Allows Root Code Execution

Wed, 03 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Buffer Overflow in VIVOTEK FD8136 Motion Privacy CGI
Weaknesses CWE-119
CWE-787

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Vivotek
Vivotek fd8136
Vendors & Products Vivotek
Vivotek fd8136

Tue, 02 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Buffer Overflow in VIVOTEK FD8136 Motion Privacy CGI
Weaknesses CWE-119
CWE-121
CWE-787

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries.
References

Subscriptions

Vivotek Fd8136 Fd8136 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T13:38:31.550Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-35716

cve-icon Vulnrichment

Updated: 2026-06-03T13:38:21.682Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T16:16:37.187

Modified: 2026-06-03T18:40:11.570

Link: CVE-2026-35716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T17:30:36Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow