vivotek 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は パス処理の欠陥、vendor risk cross-site scripting, and vendor risk memory corruption に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact memory corruption and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-35718 | A path traversal vulnerability in the /admin/downloadMedias.cgi endpoint of VIVOTEK INC FD8136-VVTK firmware 0300a allows authenticated attackers to read any file on the device via sending a crafted request. | [email protected] | 6.5 | 0.02% | 2026-06-02 | 2026-06-03 |
| CVE-2026-35716 | A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. | [email protected] | 6.3 | 0.05% | 2026-06-02 | 2026-06-03 |
| CVE-2026-30652 | A remote buffer overflow vulnerability exists in the /cgi-bin/dido/setdo.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as root on the device. | [email protected] | 8.8 | 0.05% | 2026-06-02 | 2026-06-03 |
| CVE-2026-30650 | A post-authentication remote buffer overflow vulnerability exists in the /cgi-bin/admin/eventtask.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as root on the device remotely. | [email protected] | 8.8 | 0.09% | 2026-06-02 | 2026-06-03 |
| CVE-2026-30649 | Buffer Overflow vulnerability in VIVOTEK INC FD8136-VVTK-0300a allows a remote attacker to execute arbitrary code via the set_getparam.cgi component | [email protected] | 7.3 | 0.05% | 2026-06-02 | 2026-06-03 |
| CVE-2026-35717 | A stack-based buffer overflow in the export_language.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. The handler passes the attacker-controlled Content-Length value directly to fread() as the read size into a fixed-size 0x60-byte stack buffer, overwriting the saved link register. The binary is compiled without stack canaries. | [email protected] | 6.3 | 0.05% | 2026-06-02 | 2026-06-03 |
| CVE-2025-66052 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default, The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | [email protected] | 8.6 | 0.34% | 2026-01-09 | 2026-01-14 |
| CVE-2025-66051 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | [email protected] | 6.9 | 0.06% | 2026-01-09 | 2026-01-14 |
| CVE-2025-66050 | Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | [email protected] | 9.3 | 0.05% | 2026-01-09 | 2026-01-14 |
| CVE-2025-66049 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to b | [email protected] | 8.7 | 0.05% | 2026-01-09 | 2026-01-14 |
| CVE-2024-7443 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in Vivotek IB8367A VVTK-0100b. Affected is the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-273528. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the | [email protected] | 5.3 | 0.42% | 2024-08-03 | 2024-08-06 |
| CVE-2024-7442 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek SD9364 VVTK-0103f. It has been rated as critical. This issue affects the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-273527. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confir | [email protected] | 5.3 | 0.42% | 2024-08-03 | 2024-08-06 |
| CVE-2024-7441 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek SD9364 VVTK-0103f. It has been declared as critical. This vulnerability affects the function read of the component httpd. The manipulation of the argument Content-Length leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273526 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no lon | [email protected] | 8.7 | 11.36% | 2024-08-03 | 2024-08-07 |
| CVE-2024-7440 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek CC8160 VVTK-0100d. It has been classified as critical. This affects the function getenv of the file upload_file.cgi. The manipulation of the argument QUERY_STRING leads to command injection. It is possible to initiate the attack remotely. The identifier VDB-273525 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early an | [email protected] | 5.3 | 1.10% | 2024-08-03 | 2024-08-07 |
| CVE-2024-7439 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Vivotek CC8160 VVTK-0100d and classified as critical. Affected by this issue is the function read of the component httpd. The manipulation of the argument Content-Length leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273524. NOTE: This vulnerability only affects products that are no longer supported by t | [email protected] | 8.7 | 0.27% | 2024-08-03 | 2024-08-06 |
| CVE-2024-26548 | An issue in vivotek Network Camera v.FD8166A-VVTK-0204j allows a remote attacker to execute arbitrary code via a crafted payload to the upload_file.cgi component. | [email protected] | 9.8 | 1.74% | 2024-02-29 | 2025-05-13 |
| CVE-2020-11950 | VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to upload and execute a script (with resultant execution of OS commands). For example, this affects IT9388-HT devices. | [email protected] | 8.8 | 1.47% | 2020-05-28 | 2024-11-21 |
| CVE-2020-11949 | testserver.cgi of the web service on VIVOTEK Network Cameras before XXXXX-VVTK-2.2002.xx.01x (and before XXXXX-VVTK-0XXXX_Beta2) allows an authenticated user to obtain arbitrary files from a camera's local filesystem. For example, this affects IT9388-HT devices. | [email protected] | 6.5 | 0.33% | 2020-05-28 | 2024-11-21 |
| CVE-2013-1598 | A Command Injection vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via the system.ntp parameter to the farseer.out binary file, which cold let a malicious user execute arbitrary code. | [email protected] | 8.8 | 31.13% | 2020-01-24 | 2024-11-21 |
| CVE-2013-1597 | A Directory Traversal vulnerability exists in Vivotek PT7135 IP Cameras 0300a and 0400a via a specially crafted GET request, which could let a malicious user obtain user credentials. | [email protected] | 6.5 | 10.40% | 2020-01-24 | 2024-11-21 |