CVE-2026-11847

Vulnerability

The iVEC-IEI Virtualization Edge Computer (model iVEC TANK-XM811) running versions prior to v1.0.4 contains a Path Traversal vulnerability (CVE-2026-11847). An authenticated remote attacker can exploit this flaw to create directories outside the intended scope, leveraging improper input validation in file system operations. [1][2]

Exploitation

An attacker must have valid credentials to access the affected device remotely over the network. No user interaction is required. By sending specially crafted requests, the attacker can traverse directory paths and create new directories in arbitrary system locations, bypassing access controls. [1][2]

Impact

Successful exploitation allows the attacker to create directories in unintended system paths, achieving a low integrity impact (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). This could disrupt normal system operations or be a precursor to further attacks, such as planting configuration files or exhausting disk space. [1][2]

Mitigation

IEI Integration Corp released a fix in version v1.0.4 of iVEC TANK-XM811. All users should update to v1.0.4 or later. No workarounds are documented. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of publication. [1][2]