A path traversal flaw in the /admin/downloadMedias.cgi service of VIVOTEK FD8136-VVTK firmware 0300a enables an attacker who can authenticate to the device to request any file on the system. This vulnerability is a classic input validation error that allows read access to sensitive files that could contain configuration data, credentials, or other confidential information. Unchecked directory traversal sequences such as "../" permit file names beyond the intended media directory to be resolved by the firmware and sent in the response, effectively leaking the contents of arbitrary files to the attacker.

The flaw affects devices running the VIVOTEK FD8136-VVTK firmware version 0300a. No officially listed product variant or further sub‑versions are mentioned, but any device that has been confirmed to run this firmware revision is likely vulnerable.

Because the vulnerability requires authentication, the attacker must bypass normal login mechanisms first, but once authenticated, the exploitation is trivial: a crafted HTTP request to /admin/downloadMedias.cgi will return the target file directly. The CVSS score of 6.5 indicates moderate severity and is supported by an EPSS score of <1%, implying a very low likelihood of exploitation in the wild at the time of analysis. The vulnerability is not currently catalogued in CISA’s KEV list, suggesting no known exploitation in the wild at this time, yet the attack vector likely originates from compromised or poorly protected local networks.