Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable management interface requires high-privilege auth (PR:H); read-only path traversal yields no integrity or availability impact.
Primary rating from Vendor (twcert).
CVSS VectorVendor: twcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope.
AnalysisAI
Arbitrary file read via path traversal in IEI Integration Corp's iVEC TANK-XM811 edge computing platform exposes sensitive system files to privileged remote attackers. The CVSS 4.0 vector (AV:N/PR:H/VC:H) confirms network-accessible exploitation requiring high-privilege credentials, with full confidentiality impact on the vulnerable system and no integrity or availability impact. No public exploit code or CISA KEV listing is identified at time of analysis; the vulnerability was reported by Taiwan CERT (TWCERT) and affects all known firmware versions per CPE wildcard.
Technical ContextAI
The iVEC TANK-XM811 is an industrial edge computing appliance developed by IEI Integration Corp, used in IIoT and virtualization edge deployments. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal') is the root cause - the device's web or management interface fails to sanitize user-supplied file path parameters, allowing traversal sequences (e.g., '../') to escape the intended directory scope and read arbitrary files from the underlying filesystem. The CPE string 'cpe:2.3:a:iei_integration_corp:ivec_tank-xm811:*:*:*:*:*:*:*:*' uses a full wildcard on version, indicating no specific firmware release has been confirmed as patched and all known versions are potentially within scope.
RemediationAI
Patch availability per vendor advisory should be confirmed directly via the TWCERT advisories at https://www.twcert.org.tw/tw/cp-132-10969-4c4e2-1.html and https://www.twcert.org.tw/en/cp-139-10970-e4b21-2.html - no exact patched firmware version is independently confirmed in the available data. Upstream fix availability (patch available per vendor advisory) should be treated as the primary remediation path. As compensating controls, restrict access to the device's management interface to trusted administrative networks only using firewall or ACL rules; avoid exposing the management plane to the internet or untrusted segments. Enforce the principle of least privilege on management accounts to reduce the value of compromised high-privilege credentials. Audit filesystem permissions on the device to ensure sensitive files (private keys, credential stores, configuration files) are not readable by the web service process. Note that network segmentation limits reach but does not eliminate risk from insider threats or pivoting.
More in Ivec Tank Xm811
View allOS command injection in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (iVEC TANK-XM811) allows privileged
Arbitrary file deletion in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (Tank-XM811 platform) allows aut
Path traversal in IEI Integration Corp's iVEC TANK-XM811 Virtualization Edge Computer enables authenticated remote attac
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36404
GHSA-ff64-fqrg-xh7j