Skip to main content

iVEC-IEI Virtualization Edge Computer EUVDEUVD-2026-36405

| CVE-2026-11845 HIGH
OS Command Injection (CWE-78)
2026-06-12 twcert GHSA-xvpv-jmc6-72gq
8.6
CVSS 4.0 · Vendor: twcert
Share

Severity by source

Vendor (twcert) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable management interface (AV:N/AC:L), requires existing administrator access per description and vendor vector (PR:H), no user interaction, full OS command execution yields C:H/I:H/A:H on the device.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (twcert).

CVSS VectorVendor: twcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 12, 2026 - 10:00 vuln.today

DescriptionCVE.org

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device.

AnalysisAI

OS command injection in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (iVEC TANK-XM811) allows privileged remote attackers to inject and execute arbitrary operating system commands on the affected device. The flaw was disclosed via Taiwan's TWCERT and carries a CVSS 4.0 base score of 8.6, with no public exploit identified at time of analysis. Because exploitation requires high privileges, the issue represents a post-authentication path to full device compromise rather than an unauthenticated remote takeover.

Technical ContextAI

The affected product is an industrial/edge virtualization appliance from IEI Integration Corp (CPE cpe:2.3:a:iei_integration_corp:ivec_tank-xm811), typically deployed at the network edge to host virtualized workloads in OT/industrial environments. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied input is concatenated into a shell command or passed to a system-level interpreter without adequate sanitization or use of parameterized execution. On embedded/management interfaces this typically occurs in administrative web endpoints, CLI wrappers, or diagnostic functions (e.g., ping, network configuration, firmware utilities) that invoke underlying OS binaries.

RemediationAI

No vendor-released patched version is identified in the available data; administrators should consult the TWCERT advisories (https://www.twcert.org.tw/en/cp-139-10970-e4b21-2.html and https://www.twcert.org.tw/tw/cp-132-10969-4c4e2-1.html) and contact IEI Integration Corp directly for firmware updates for the iVEC TANK-XM811. Until a fix is confirmed, restrict the device's administrative/management interface to a dedicated out-of-band management VLAN and block it at the perimeter so it is not reachable from general corporate or internet-facing networks (trade-off: remote operators will need VPN/jumphost access). Rotate all administrator credentials and disable any default or shared accounts to reduce the chance that the PR:H precondition is met (trade-off: may break existing automation that uses shared accounts). Enable detailed audit logging on the management interface and monitor for unusual command-execution or shell-spawn patterns originating from web/CLI admin endpoints.

Share

EUVD-2026-36405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy