CVE-2018-14494

Vulnerability

Vivotek FD8136 network cameras are vulnerable to remote command injection due to improper input sanitization in the web management interface. The vulnerability involves the use of BusyBox and wget, allowing injected commands to be executed on the operating system. This affects all firmware versions that were current at the time of discovery, though the vendor stated in 2019 that it does not apply to any recent hardware or firmware [1][2].

Exploitation

An attacker with network access to the device's web management interface can exploit this vulnerability without authentication. By crafting a malicious HTTP request to a vulnerable parameter (likely related to wget or BusyBox functionality), the attacker can inject arbitrary shell commands. The web server process runs with root privileges, eliminating the need for privilege escalation [2].

Impact

Successful exploitation results in arbitrary command execution with root privileges, granting full control over the camera. The attacker can read, modify, or delete files, capture network traffic, pivot to internal networks, or disable the device. This represents a complete compromise of confidentiality, integrity, and availability.

Mitigation

The vendor indicated that this vulnerability is historical and does not affect current or recent Vivotek hardware or firmware [1]. Users of affected devices should isolate them on a separate network segment or upgrade to a non-vulnerable model. No patch was released for this specific CVE as it is considered legacy.