Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote network-reachable management interface (AV:N) with low complexity (AC:L) and low-privileged authenticated access (PR:L); arbitrary deletion destroys data and disrupts service (I:H/A:H) with no read primitive (C:N).
Primary rating from Vendor (twcert).
CVSS VectorVendor: twcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories, resulting in data destruction or service disruption.
AnalysisAI
Arbitrary file deletion in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (Tank-XM811 platform) allows authenticated remote attackers to delete arbitrary system files or directories via path traversal, leading to data destruction and service disruption. The flaw was reported through Taiwan's TWCERT coordination process and carries a CVSS 4.0 base score of 7.2 (High) driven by integrity and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The iVEC platform is an industrial edge-computing/virtualization appliance from IEI Integration Corp, with the affected product family identified by CPE as ivec_tank-xm811 - a ruggedized embedded virtualization host typically used in industrial automation and OT environments. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e. path traversal): a file-management or maintenance interface accepts a user-supplied path or filename without canonicalizing or constraining it to a safe base directory, so traversal sequences such as ../ resolve outside the intended scope and reach arbitrary filesystem locations. Because the deletion runs with the privileges of the appliance's management service, an attacker can remove operating-system, configuration, or workload-VM files regardless of where they live on disk.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied input - operators should consult the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10970-e4b21-2.html and https://www.twcert.org.tw/tw/cp-132-10969-4c4e2-1.html for IEI's latest firmware update for the Tank-XM811 iVEC platform and apply it as soon as it is published. In the interim, restrict network reachability of the appliance's management interface to a dedicated administrative VLAN or jump host (trade-off: legitimate remote admin workflows must move through that path), enforce strong, unique credentials and remove or disable any default/low-privilege accounts that are not strictly required (trade-off: may break automation that relied on those accounts), and enable verbose audit logging plus offline backups of VM images and configuration so that a successful deletion can be detected and recovered quickly (trade-off: storage and log-review overhead). Where feasible, deploy file-integrity monitoring on the appliance and alert on unexpected deletions of system or VM image paths.
More in Ivec Tank Xm811
View allOS command injection in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (iVEC TANK-XM811) allows privileged
Arbitrary file read via path traversal in IEI Integration Corp's iVEC TANK-XM811 edge computing platform exposes sensiti
Path traversal in IEI Integration Corp's iVEC TANK-XM811 Virtualization Edge Computer enables authenticated remote attac
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36406
GHSA-cw7v-g93w-6325