Skip to main content

iVEC TANK-XM811 CVE-2026-11847

| EUVDEUVD-2026-36407 MEDIUM
Path Traversal (CWE-22)
2026-06-12 twcert GHSA-6f9h-v5v9-qmr3
5.3
CVSS 4.0 · Vendor: twcert
Share

Severity by source

Vendor (twcert) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-accessible interface requires low-privilege auth (PR:L); impact strictly limited to directory creation (I:L) with no confidentiality or availability effect and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (twcert).

CVSS VectorVendor: twcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 12, 2026 - 10:02 vuln.today

DescriptionCVE.org

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths.

AnalysisAI

Path traversal in IEI Integration Corp's iVEC TANK-XM811 Virtualization Edge Computer enables authenticated remote attackers to create directories at arbitrary system paths outside the application's intended scope. The flaw (CWE-22) resides in the network-accessible management interface, where user-supplied path input is not sufficiently sanitized before use in filesystem operations. No public exploit code or active exploitation has been identified at time of analysis, and the impact is constrained to unauthorized directory creation rather than file read, write, or code execution.

Technical ContextAI

The iVEC TANK-XM811 is an industrial-grade virtualization edge computing platform manufactured by IEI Integration Corp, uniquely identified by CPE cpe:2.3:a:iei_integration_corp:ivec_tank-xm811:*:*:*:*:*:*:*:*. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a class of vulnerability where attacker-controlled input containing traversal sequences such as '../' is used to construct filesystem paths without adequate canonicalization or boundary enforcement. In this instance, the application exposes a directory-creation operation through its remote management interface that fails to restrict the resolved target path to an allowed base directory. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms the interface is network-reachable with no special attack conditions, though authenticated access at a low privilege level is required. The impact metrics (VC:N/VI:L/VA:N) confirm the exploitation outcome is limited to low-integrity writes - specifically directory creation - with no confidentiality or availability consequences on the vulnerable system or downstream systems.

RemediationAI

No vendor-released patch has been identified at time of analysis; affected version range spans all known versions per the wildcard CPE. Organizations should consult the TWCERT English advisory at https://www.twcert.org.tw/en/cp-139-10970-e4b21-2.html for patch release updates from IEI Integration Corp. As a primary compensating control, restrict network access to the iVEC TANK-XM811 management interface using firewall rules or VLAN segmentation so that only authorized management hosts can reach the interface - this eliminates the network attack vector entirely. As a secondary control, audit and rotate credentials for all accounts with access to the management interface, and apply the principle of least privilege by disabling accounts that do not require directory management capabilities; this reduces exploitation risk since PR:L authentication is required. Additionally, monitor the device filesystem for unexpected directory creation outside standard application paths as an indicator of exploitation. Note: blocking management-interface access may interrupt legitimate administrative workflows and should be coordinated with operational teams.

Share

CVE-2026-11847 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy