Akamai’s Security Intelligence and Response Team (SIRT) uncovered a serious command injection vulnerability in legacy Vivotek IoT camera firmware.
Tracked as CVE-2026-22755, the flaw lets remote attackers inject and run arbitrary code as root without authentication.
Researchers used AI-driven reverse engineering to find it, confirming impact on dozens of older camera models. This boosts botnet risks, like DDoS attacks from compromised IoT devices.
The issue stems from unsafe handling of user input in the upload_map.cgi script. Disassembled code shows snprintf() building a string like “mv %s %s” with attacker-controlled filenames, then passing it to system().
Crafted names like “test_firmware.bin;id;” execute shell commands.
Attackers must meet five conditions: file under 5MB, pass firmware checks (magic bytes FF V FF FF at start, FF K FF FF at end), intact /usr/sbin/confclient returning “capability_remotecamctrl_master=1”, customized Boa web server with nonstandard env vars, and call via upload_map.cgi (not file_manager.cgi).
To exploit, researchers emulated the ARM environment. They created dummy firmware with a Bash script:
#!/bin/bash
TEMP_DIR=/tmp
FIRMWARE_FILE="$TEMP_DIR/firmware.bin"
printf '\xFF\x56\xFF\xFF' > "$FIRMWARE_FILE"
dd if=/dev/zero bs=1 count=1000 >> "$FIRMWARE_FILE" 2>/dev/null
printf '\xFF\x4B\xFF\xFF' >> "$FIRMWARE_FILE"Set env vars like REQUEST_METHOD=POST, CONTENT_LENGTH=55123, QUERY_STRING=camid=1, POST_FILE_NAME="test_firmware.bin;id;".
Running /usr/share/www/cgi-bin/upload_map.cgi outputs root details: “uid=0(root) gid=0(root)”. Strace confirms shell parsing of the semicolon, executing id after mv fails.
Affected Models and IOCs
Dozens of Vivotek models run vulnerable firmware. Update immediately.
| Models | Firmware Versions |
|---|---|
| FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391, FE9180, FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371, IB9381, IB9387, IB9389, IB9391, IP9165, IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 | 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c |
Key IOCs:
| IOC Type | Value |
|---|---|
| Path | /cgi-bin/admin/upload_map.cgi |
| Parameter | camid= |
| Env Var | POST_FILE_NAME with ; (e.g., test_firmware.bin;id;) |
| Magic Bytes | Header: \xFF\x56\xFF\xFF; Footer: \xFF\x4B\xFF\xFF |
| YARA Rule | rule CVE_2026_22755_Vivotek_upload { strings: $path = "/cgi-bin/admin/upload_map.cgi"; $param = "camid="; condition: all of them } |
Patch firmware ASAP vendors must release updates. Sanitize filenames server-side, restrict uploads, and monitor IOCs with the YARA rule. Emulate exploits in safe environments for testing.
This flaw underscores IoT risks: legacy devices fuel botnets. Root access enables full compromise, data theft, or DDoS recruitment.
Users, segment networks and disable unused CGI endpoints. Security teams, hunt for anomalous uploads.
Akamai urges vendors to patch, users to update, and researchers to collaborate. Proactive IoT security demands input validation, regular audits, and AI tools to spot flaws early.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.