Skip to main content

iVEC-IEI Virtualization Edge Computer EUVDEUVD-2026-36406

| CVE-2026-11846 HIGH
Path Traversal (CWE-22)
2026-06-12 twcert GHSA-cw7v-g93w-6325
7.2
CVSS 4.0 · Vendor: twcert
Share

Severity by source

Vendor (twcert) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Remote network-reachable management interface (AV:N) with low complexity (AC:L) and low-privileged authenticated access (PR:L); arbitrary deletion destroys data and disrupts service (I:H/A:H) with no read primitive (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (twcert).

CVSS VectorVendor: twcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 11:01 EUVD
Analysis Generated
Jun 12, 2026 - 10:01 vuln.today

DescriptionCVE.org

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories,  resulting in data destruction or service disruption.

AnalysisAI

Arbitrary file deletion in IEI Integration Corp's iVEC-IEI Virtualization Edge Computer (Tank-XM811 platform) allows authenticated remote attackers to delete arbitrary system files or directories via path traversal, leading to data destruction and service disruption. The flaw was reported through Taiwan's TWCERT coordination process and carries a CVSS 4.0 base score of 7.2 (High) driven by integrity and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The iVEC platform is an industrial edge-computing/virtualization appliance from IEI Integration Corp, with the affected product family identified by CPE as ivec_tank-xm811 - a ruggedized embedded virtualization host typically used in industrial automation and OT environments. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e. path traversal): a file-management or maintenance interface accepts a user-supplied path or filename without canonicalizing or constraining it to a safe base directory, so traversal sequences such as ../ resolve outside the intended scope and reach arbitrary filesystem locations. Because the deletion runs with the privileges of the appliance's management service, an attacker can remove operating-system, configuration, or workload-VM files regardless of where they live on disk.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied input - operators should consult the TWCERT advisories at https://www.twcert.org.tw/en/cp-139-10970-e4b21-2.html and https://www.twcert.org.tw/tw/cp-132-10969-4c4e2-1.html for IEI's latest firmware update for the Tank-XM811 iVEC platform and apply it as soon as it is published. In the interim, restrict network reachability of the appliance's management interface to a dedicated administrative VLAN or jump host (trade-off: legitimate remote admin workflows must move through that path), enforce strong, unique credentials and remove or disable any default/low-privilege accounts that are not strictly required (trade-off: may break automation that relied on those accounts), and enable verbose audit logging plus offline backups of VM images and configuration so that a successful deletion can be detected and recovered quickly (trade-off: storage and log-review overhead). Where feasible, deploy file-integrity monitoring on the appliance and alert on unexpected deletions of system or VM image paths.

Share

EUVD-2026-36406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy