Executive Summary

CVE-2026-35716 is a stack-based buffer overflow vulnerability found in the motion_privacy.cgi binary of the VIVOTEK FD8136 camera firmware FD8136-VVTK-0300a.

This vulnerability occurs when an authenticated attacker sends a POST request to one of the endpoints /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi, which are all symlinks to the same vulnerable binary.

The attacker exploits the n1 parameter by providing an oversized value that is copied into a fixed-size 0xa4-byte stack buffer without any bounds checking.

Because the binary is compiled without stack canaries or other memory protections, this overflow overwrites the saved link register on the stack, allowing the attacker to execute arbitrary code with root privileges.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the CVE-2026-35716 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated remote attacker to execute arbitrary code as root on the affected device.

Exploitation can lead to full control over the VIVOTEK FD8136 camera, potentially allowing the attacker to manipulate device functions, access sensitive data, or use the device as a foothold for further network compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the endpoints /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi on the VIVOTEK FD8136 device firmware FD8136-VVTK-0300a.

Specifically, detection involves checking for POST requests containing an oversized n1 parameter value that exceeds the fixed 0xa4-byte buffer size.

Commands to detect such attempts could include using network traffic inspection tools like tcpdump or Wireshark to filter POST requests to these endpoints and analyze the size of the n1 parameter.

• tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'POST /cgi-bin/admin/(setpm|setmd|setmd_profile).cgi'
• Use a web proxy or HTTP inspection tool to capture and analyze POST request bodies for the n1 parameter length.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints to trusted and authenticated users only, as exploitation requires authentication.

Additionally, monitoring and blocking POST requests with unusually large n1 parameter values can help prevent exploitation.

If possible, update the firmware to a version that patches this vulnerability or apply any available vendor-provided fixes.

As a temporary measure, consider disabling or restricting access to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, and /cgi-bin/admin/setmd_profile.cgi endpoints if they are not essential.

Useful 0 Not Useful 0