A path traversal flaw in the /admin/downloadMedias.cgi service of VIVOTEK INC FD8136-VVTK firmware 0300a enables an attacker who can authenticate to the device to request any file on the system. This vulnerability is a classic input validation error that allows read access to sensitive files that could contain configuration data, credentials, or other confidential information. Unchecked directory traversal sequences such as "../" permit file names beyond the intended media directory to be resolved by the firmware and sent in the response, effectively leaking the contents of arbitrary files to the attacker.

The flaw affects devices running the VIVOTEK FD8136-VVTK firmware version 0300a. No officially listed product variant or further sub‑versions are mentioned, but any device that has been confirmed to run this firmware revision is likely vulnerable.

Because the vulnerability requires authentication, the attacker must bypass normal login mechanisms first, but once authenticated, the exploitation is trivial: a crafted HTTP request to /admin/downloadMedias.cgi will return the target file directly. The lack of an EPSS score or CVSS rating in the data set precludes precise quantification, but the potential impact of reading arbitrary files on a network‑attached device is high and warrants prompt attention. The vulnerability is not currently catalogued in CISA’s KEV list, suggesting no known exploitation in the wild at this time, yet the attack vector likely originates from compromised or poorly protected local networks.