CVE-2026-35716
Stack-Based Buffer Overflow in VIVOTEK FD8136 Firmware
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vivotek | fd8136 | fd8136-vvtk-0300a |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35716 is a stack-based buffer overflow vulnerability found in the motion_privacy.cgi binary of the VIVOTEK FD8136 camera firmware FD8136-VVTK-0300a.
This vulnerability occurs when an authenticated attacker sends a POST request to one of the endpoints /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi, which are all symlinks to the same vulnerable binary.
The attacker exploits the n1 parameter by providing an oversized value that is copied into a fixed-size 0xa4-byte stack buffer without any bounds checking.
Because the binary is compiled without stack canaries or other memory protections, this overflow overwrites the saved link register on the stack, allowing the attacker to execute arbitrary code with root privileges.
How can this vulnerability impact me? :
This vulnerability allows an authenticated remote attacker to execute arbitrary code as root on the affected device.
Exploitation can lead to full control over the VIVOTEK FD8136 camera, potentially allowing the attacker to manipulate device functions, access sensitive data, or use the device as a foothold for further network compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring POST requests to the endpoints /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi on the VIVOTEK FD8136 device firmware FD8136-VVTK-0300a.
Specifically, detection involves checking for POST requests containing an oversized n1 parameter value that exceeds the fixed 0xa4-byte buffer size.
Commands to detect such attempts could include using network traffic inspection tools like tcpdump or Wireshark to filter POST requests to these endpoints and analyze the size of the n1 parameter.
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'POST /cgi-bin/admin/(setpm|setmd|setmd_profile).cgi'
- Use a web proxy or HTTP inspection tool to capture and analyze POST request bodies for the n1 parameter length.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoints to trusted and authenticated users only, as exploitation requires authentication.
Additionally, monitoring and blocking POST requests with unusually large n1 parameter values can help prevent exploitation.
If possible, update the firmware to a version that patches this vulnerability or apply any available vendor-provided fixes.
As a temporary measure, consider disabling or restricting access to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, and /cgi-bin/admin/setmd_profile.cgi endpoints if they are not essential.