Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible interface requires low-privilege auth (PR:L); impact strictly limited to directory creation (I:L) with no confidentiality or availability effect and no scope change.
Primary rating from Vendor (twcert).
CVSS VectorVendor: twcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths.
AnalysisAI
Path traversal in IEI Integration Corp's iVEC TANK-XM811 Virtualization Edge Computer enables authenticated remote attackers to create directories at arbitrary system paths outside the application's intended scope. The flaw (CWE-22) resides in the network-accessible management interface, where user-supplied path input is not sufficiently sanitized before use in filesystem operations. No public exploit code or active exploitation has been identified at time of analysis, and the impact is constrained to unauthorized directory creation rather than file read, write, or code execution.
Technical ContextAI
The iVEC TANK-XM811 is an industrial-grade virtualization edge computing platform manufactured by IEI Integration Corp, uniquely identified by CPE cpe:2.3:a:iei_integration_corp:ivec_tank-xm811:*:*:*:*:*:*:*:*. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a class of vulnerability where attacker-controlled input containing traversal sequences such as '../' is used to construct filesystem paths without adequate canonicalization or boundary enforcement. In this instance, the application exposes a directory-creation operation through its remote management interface that fails to restrict the resolved target path to an allowed base directory. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms the interface is network-reachable with no special attack conditions, though authenticated access at a low privilege level is required. The impact metrics (VC:N/VI:L/VA:N) confirm the exploitation outcome is limited to low-integrity writes - specifically directory creation - with no confidentiality or availability consequences on the vulnerable system or downstream systems.
RemediationAI
No vendor-released patch has been identified at time of analysis; affected version range spans all known versions per the wildcard CPE. Organizations should consult the TWCERT English advisory at https://www.twcert.org.tw/en/cp-139-10970-e4b21-2.html for patch release updates from IEI Integration Corp. As a primary compensating control, restrict network access to the iVEC TANK-XM811 management interface using firewall rules or VLAN segmentation so that only authorized management hosts can reach the interface - this eliminates the network attack vector entirely. As a secondary control, audit and rotate credentials for all accounts with access to the management interface, and apply the principle of least privilege by disabling accounts that do not require directory management capabilities; this reduces exploitation risk since PR:L authentication is required. Additionally, monitor the device filesystem for unexpected directory creation outside standard application paths as an indicator of exploitation. Note: blocking management-interface access may interrupt legitimate administrative workflows and should be coordinated with operational teams.
More in Ivec Tank Xm811
View allOS command injection in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (iVEC TANK-XM811) allows privileged
Arbitrary file deletion in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (Tank-XM811 platform) allows aut
Arbitrary file read via path traversal in IEI Integration Corp's iVEC TANK-XM811 edge computing platform exposes sensiti
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36407
GHSA-6f9h-v5v9-qmr3