MEDIUM 6.3

CVE-2026-35716: VIVOTEK FD8136 Stack Buffer Overflow Remote Code Execution

A stack-based buffer overflow vulnerability exists in VIVOTEK FD8136 IP cameras that allows an authenticated attacker to run arbitrary code with root privileges. The flaw is in the motion privacy configuration endpoint, which fails to validate the size of user input before copying it into a fixed-size buffer on the stack. Because the camera firmware lacks stack protection mechanisms, an attacker can overwrite return addresses and hijack program execution. An authenticated attacker on the network can exploit this remotely by sending a specially crafted POST request.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-121
Affected products
2 configuration(s)
Published / Modified
2026-06-02 / 2026-07-05

NVD description (verbatim)

A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35716 is a stack-based buffer overflow (CWE-121) in the motion_privacy.cgi binary bundled in VIVOTEK FD8136 firmware. The vulnerability exists in three CGI endpoints (/cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, and /cgi-bin/admin/setmd_profile.cgi), which are symlinks to the same underlying binary. The n1 POST parameter is copied into a 0xa4-byte (164-byte) stack buffer without length validation. Because the binary is compiled without stack canaries (stack guard mechanisms), a sufficiently large n1 value corrupts the saved link register on the stack, enabling control flow hijacking. Exploitation requires prior authentication to the camera's web interface but no user interaction or special network conditions.

Business impact

Compromise of an VIVOTEK FD8136 camera with root code execution enables attackers to intercept video feeds, modify motion detection and recording settings, exfiltrate footage, inject malicious content into video streams, or use the compromised device as a pivot point into wider network infrastructure. This is particularly concerning in deployments protecting physical security, facilities, or sensitive areas where feed integrity and availability are critical. Organizations relying on these cameras for compliance-driven surveillance must treat this as a data confidentiality and availability risk.

Affected systems

VIVOTEK FD8136 IP cameras running firmware version FD8136-VVTK-0300a are known to be affected. The vulnerability is in the motion_privacy.cgi binary, which handles configuration of motion detection and privacy masking features. Verify against VIVOTEK's advisory whether earlier or later firmware versions are also vulnerable; this CVE record identifies 0300a as confirmed vulnerable. Organizations using FD8136 cameras should inventory instances across physical security deployments.

Exploitability

Exploitation requires network access to the camera's web interface and valid authentication credentials. No exploit code is known to be publicly available, and this vulnerability is not tracked as part of the CISA Known Exploited Vulnerabilities catalog. However, the attack vector is straightforward: an authenticated insider or an attacker who has compromised valid credentials can craft a POST request with an oversized n1 parameter to trigger the buffer overflow. The lack of stack canaries significantly reduces the complexity of reliable exploitation. The barrier to entry is moderate if credentials are obtained.

Remediation

Apply a firmware patch from VIVOTEK that addresses the buffer overflow. Verify against the vendor's security advisory for the correct patched firmware version and deployment steps. Until patching is complete, restrict network access to the camera's web interface using firewall rules or network segmentation, limit authentication credentials to high-integrity service accounts, and disable remote management features if not required. Monitor camera access logs for suspicious activity.

Patch guidance

Contact VIVOTEK support or check the vendor's product security page for a firmware update that resolves CVE-2026-35716. Patches typically involve recompilation with bounds checking on the n1 parameter or rebuilding the binary with stack canary protection enabled. Deploy patches in a controlled manner: test in a non-production environment first, document the previous firmware version for rollback capability, and schedule patching during a maintenance window to minimize disruption to surveillance operations. Verify the patch version against VIVOTEK's official release notes before deployment.

Detection guidance

Monitor camera access logs for unusual POST requests to /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoints with abnormally large n1 parameter values (significantly exceeding typical configuration sizes). Inspect network traffic for HTTP POST requests with oversized payloads to these endpoints. Monitor the camera for unexpected process behavior, restarts, or system resource spikes following suspicious requests. If intrusion detection is available, flag requests that attempt to inject shellcode patterns or other code payloads in the n1 parameter. Correlate camera logs with authentication logs to identify whether unauthorized or suspicious accounts triggered the requests.

Why prioritize this

Although the CVSS score is MEDIUM (6.3) and the vulnerability is not yet on CISA's KEV list, the combination of authenticated root code execution, widespread deployment of VIVOTEK cameras in critical physical security roles, and the absence of stack canaries in the affected binary elevates practical risk. Prioritize this vulnerability for teams managing IP camera infrastructure, particularly in environments where video integrity and system availability are operationally important. Credentials may be easier to obtain than attackers need for many remote vulnerabilities, making the authentication requirement less of a barrier in targeted scenarios.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects the requirement for prior authentication (PR:L), which reduces attack vector score, combined with potential compromise of confidentiality, integrity, and availability. However, the practical risk is elevated by the technical reality that stack-based buffer overflows with a known saved register target and no canary protection are highly reliable to exploit for code execution. Organizations should consider their own risk context: in air-gapped or strictly segmented camera networks, the risk is lower; in environments where camera credentials are shared or weak, or where lateral movement potential exists, the effective risk is higher.

Frequently asked questions

Do I need valid camera credentials to exploit this vulnerability?

Yes. The vulnerability requires authentication to access the affected endpoints. However, if camera credentials are weak, shared, or compromised through other means (phishing, prior breaches), this becomes a lower barrier to entry. Treat camera credentials with the same rigor as any other administrative credential.

What happens if I apply a firmware patch? Will I lose camera settings or video recordings?

A firmware update typically preserves configuration and does not delete existing recordings if stored locally or on external media. However, always back up critical camera settings before patching. Test the patch on a non-production camera first to confirm no unexpected side effects in your environment.

Is there a known exploit or proof-of-concept for this vulnerability?

No public exploit code is currently available, and this vulnerability is not on CISA's publicly tracked list of exploited vulnerabilities. However, a skilled attacker familiar with stack-based buffer overflows and the camera's architecture could develop an exploit. Do not assume safety from the absence of public proof-of-concept.

Can I mitigate this vulnerability without patching if I cannot update the firmware immediately?

Partial mitigation is possible through network segmentation: restrict access to the camera's web interface to only authorized IP addresses using firewall rules, disable remote access if not needed, enforce strong authentication, and monitor logs closely. However, these controls do not eliminate the underlying vulnerability—patching is the definitive remediation.

This analysis is provided for informational and risk assessment purposes. No exploit code or weaponized proof-of-concept is included or intended. All patch version numbers and availability claims must be verified against VIVOTEK's official security advisories and product documentation. Organizations should conduct their own vulnerability assessment and testing before applying patches in production environments. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consultation with the affected vendor and your internal security team for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).