Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
A stack-based buffer overflow in the export_language.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. The handler passes the attacker-controlled Content-Length value directly to fread() as the read size into a fixed-size 0x60-byte stack buffer, overwriting the saved link register. The binary is compiled without stack canaries.
AnalysisAI
Stack-based buffer overflow in VIVOTEK FD8136 network camera firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root by sending a crafted POST request to the export_language.cgi administrative endpoint. The CGI handler passes an attacker-controlled Content-Length HTTP header value directly to fread() with no bounds validation, overflowing a 0x60-byte stack buffer and overwriting the saved link register; the binary's lack of stack canaries eliminates the primary runtime defense against this class of attack. A researcher-published proof-of-concept exists on GitHub, though EPSS stands at 0.05% (17th percentile) and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at time of analysis.
Technical ContextAI
The vulnerable component is the export_language.cgi binary located under /cgi-bin/admin/ in VIVOTEK FD8136 firmware version FD8136-VVTK-0300a. CWE-121 (Stack-Based Buffer Overflow) is the root cause class: the HTTP POST handler reads the request's Content-Length header and forwards it without bounds checking as the size argument to fread(), which writes into a statically allocated 0x60-byte (96-byte) buffer on the stack. Supplying a Content-Length value greater than 96 overwrites stack memory beyond the buffer boundary, reaching and corrupting the saved link register (return address on ARM-class embedded platforms). Because the binary is compiled without stack canaries (SSP disabled), no runtime integrity check detects the corruption before the function returns and redirects execution. The administrative CGI interface is accessible over the network (AV:N from CVSS), and the attack requires only low-privileged credentials (PR:L), consistent with an authenticated web management account.
RemediationAI
No vendor-released patch or patched firmware version has been identified in the available intelligence data; NVD references point only to the VIVOTEK vendor homepage (http://vivotek.com) without a specific advisory page or firmware download. Administrators should immediately check the VIVOTEK support portal for FD8136 firmware updates and apply any available release. As compensating controls pending a confirmed patch: restrict network access to the /cgi-bin/admin/ directory - and specifically the export_language.cgi endpoint - to explicitly trusted management IP ranges using firewall ACLs or network segmentation, which eliminates remote exploitability for unapproved hosts but requires reliable network enforcement and does not protect against compromised internal hosts. Isolate FD8136 cameras on a dedicated VLAN with no direct internet egress, preventing opportunistic external access. Rotate all camera administrative credentials to unique, strong passwords immediately, since exploitation requires low-privileged authentication (PR:L) - removing default or reused credentials is the single highest-impact interim control. Disable remote web management access from untrusted networks at the perimeter if camera management is not required externally.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33934
GHSA-7f9j-8mjp-qv5p