An issue in vivotek Network Camera v.FD8166A-VVTK-0204j allows a remote attacker to execute arbitrary code via a crafted payload to the upload_file.cgi component.
An attacker sends a specially crafted payload to the upload_file.cgi component available on the device. This component does not properly validate the transmitted data, which allows arbitrary code execution on the device side. The attack can be carried out remotely, without the need to possess any access credentials.
An attacker can gain full control over the device by executing arbitrary code at its level. The consequence can be a breach of data confidentiality and integrity as well as complete loss of camera availability.
Security patches available from the manufacturer should be applied in accordance with the references. It is also recommended to restrict network access to the camera's management interface through a firewall or network segmentation to minimize exposure to potential attackers.
Vivotek Network Camera FD8166A with firmware version VVTK-0204j
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVivotek Camera
HWVivotekwszystkie wersjeVivotek Camera Firmware
OSVivotekv.fd8166a-vvtk-0204j
Related vulnerabilities
An authentication bypass vulnerability in VIVOTEK IPCam versions prior to 0x13a was found.
VIVOTEK IP Camera devices with firmware before 0x20x have a stack-based buffer overflow via a crafted HTTP hea...
VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of service via a crafted HTTP header.
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow CSRF.
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2...