CVE-2026-11844

Vulnerability

An arbitrary file read vulnerability exists in the IEI Integration Corp iVEC TANK-XM811 virtualization edge computer. Affected versions are all releases before v1.0.4 [1], [2]. The vulnerability allows a privileged remote attacker to access files outside the intended directory scope, bypassing path restrictions in the device's file access controls.

Exploitation

Exploitation requires that the attacker already possesses administrative privileges on the device (PR:H). The attack is performed over the network with no user interaction needed. The attacker sends a crafted request that traverses outside the allowed directory scope to read arbitrary files on the system [1], [2].

Impact

Successful exploitation results in high confidentiality impact — the attacker can read sensitive files such as configuration data, credentials, or other protected information stored on the device. There is no impact to integrity or availability from this specific vulnerability, as it only permits read access [1], [2].

Mitigation

IEI Integration Corp has released iVEC TANK-XM811 version v1.0.4, which contains the fix. All users should update to v1.0.4 or later immediately [1], [2].