How do attackers exploit this Vivotek flaw?

Attackers inject shell commands into the filename parameter of the upload_map.cgi script, which the system then executes with root privileges.

What level of access does an attacker gain?

Successful exploitation grants the attacker full root access to the camera, allowing them to control the device and access sensitive data.

Which Vivotek models are affected?

Over 33 models are impacted, including the FD, FE, IB, IP, IT, MA, MS, and TB series running firmware versions 0100a through 0125c.

How can I protect my network from this vulnerability?

Isolate affected cameras from the internet, use a VPN for access, and apply firmware patches if available from the vendor.

Advisory

Critical Command Injection Vulnerability in Legacy Vivotek Cameras

Q: What is CVE-2026-22755?

It is a critical command injection vulnerability in legacy Vivotek camera firmware that allows remote attackers to execute code without authentication.

published: Jan. 23, 2026

Take action: If you are using Vivotek cameras, this is important and urgent. Make sure your cameras are isolated from the internet and accessible from trusted networks only. Check and enforce password authentication. Then check your firmware version and if there's an update, patch ASAP. For end-of-life devices, isolate them, enforce passwords and plan a replacement process.

Learn More

The Akamai Security Intelligence and Response Team (SIRT) reports a critical flaw in legacy Vivotek camera firmware that allows remote attackers to take full control of the device without a password. r.

The flaw is tracked as CVE-2026-22755 (CVSS score 9.8) - Command injection vulnerability in the filename parameter of upload_map.cgi script. The code uses the snprintf function to create a shell command for moving files. It takes a filename from the user and puts it directly into the command string without cleaning it. By adding a semicolon to the filename, an attacker can stop the original command and start a new one. The system then executes this injected code using the system() function with highest privileges.

On top of the flaw, the cameras do not have default passwords set, so a lot of them are exposed without authentication.

For the exploit to succeed, an attacker must upload a file smaller than 5 MB that contains specific magic bytes to pass a firmware check. The attack also requires the web server to use certain environment variables. During testing, researchers showed they could run the id command, which confirmed they had root access to the camera operating system.

The flaw affects over 33 camera models, including many that are no longer supported by the vendor. Affected series are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391, FE9180, FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371, IB9381, IB9387, IB9389, IB9391, IP9165, IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322 , MS9321, MS9390, TB9330. Vulnerable firmware versions are 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c

Companies must check their camera models and firmware versions immediately. If a patch is available, apply it now. For older devices that no longer get updates, move them to a secure, isolated network and do not expose these cameras to the public internet.

Critical Command Injection Vulnerability in Legacy Vivotek Cameras

Read More
Progress WhatsUp Gold critical flaw actively attacked
Critical vulnerability reported in Langflow AI Builder enabling …
Critical 8 years old Hikvision Camera flaw actively …
Critical Authentication and Session Flaws Discovered in Mobility46 …
Multiple IP KVM Vulnerabilities Reported, at Least One …