Skip to main content

VIVOTEK FD8136 EUVDEUVD-2026-33934

| CVE-2026-35717 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-02 cve@mitre.org GHSA-7f9j-8mjp-qv5p
6.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 14:23 vuln.today
CVSS changed
Jun 03, 2026 - 14:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 02, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A stack-based buffer overflow in the export_language.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. The handler passes the attacker-controlled Content-Length value directly to fread() as the read size into a fixed-size 0x60-byte stack buffer, overwriting the saved link register. The binary is compiled without stack canaries.

AnalysisAI

Stack-based buffer overflow in VIVOTEK FD8136 network camera firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root by sending a crafted POST request to the export_language.cgi administrative endpoint. The CGI handler passes an attacker-controlled Content-Length HTTP header value directly to fread() with no bounds validation, overflowing a 0x60-byte stack buffer and overwriting the saved link register; the binary's lack of stack canaries eliminates the primary runtime defense against this class of attack. A researcher-published proof-of-concept exists on GitHub, though EPSS stands at 0.05% (17th percentile) and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at time of analysis.

Technical ContextAI

The vulnerable component is the export_language.cgi binary located under /cgi-bin/admin/ in VIVOTEK FD8136 firmware version FD8136-VVTK-0300a. CWE-121 (Stack-Based Buffer Overflow) is the root cause class: the HTTP POST handler reads the request's Content-Length header and forwards it without bounds checking as the size argument to fread(), which writes into a statically allocated 0x60-byte (96-byte) buffer on the stack. Supplying a Content-Length value greater than 96 overwrites stack memory beyond the buffer boundary, reaching and corrupting the saved link register (return address on ARM-class embedded platforms). Because the binary is compiled without stack canaries (SSP disabled), no runtime integrity check detects the corruption before the function returns and redirects execution. The administrative CGI interface is accessible over the network (AV:N from CVSS), and the attack requires only low-privileged credentials (PR:L), consistent with an authenticated web management account.

RemediationAI

No vendor-released patch or patched firmware version has been identified in the available intelligence data; NVD references point only to the VIVOTEK vendor homepage (http://vivotek.com) without a specific advisory page or firmware download. Administrators should immediately check the VIVOTEK support portal for FD8136 firmware updates and apply any available release. As compensating controls pending a confirmed patch: restrict network access to the /cgi-bin/admin/ directory - and specifically the export_language.cgi endpoint - to explicitly trusted management IP ranges using firewall ACLs or network segmentation, which eliminates remote exploitability for unapproved hosts but requires reliable network enforcement and does not protect against compromised internal hosts. Isolate FD8136 cameras on a dedicated VLAN with no direct internet egress, preventing opportunistic external access. Rotate all camera administrative credentials to unique, strong passwords immediately, since exploitation requires low-privileged authentication (PR:L) - removing default or reused credentials is the single highest-impact interim control. Disable remote web management access from untrusted networks at the perimeter if camera management is not required externally.

Share

EUVD-2026-33934 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy