CVE-2026-30650

Vulnerability

A post-authentication stack buffer overflow vulnerability exists in the /cgi-bin/admin/eventtask.cgi endpoint of the Vivotek FD8136 camera's admin interface, specifically affecting firmware version FD8136-VVTK-0300a [2]. The vulnerability occurs when the eventtask.cgi binary processes a POST request by reading the raw request body from stdin into a fixed-size stack buffer of approximately 0x88 bytes without validating the input length against the buffer's capacity.

Exploitation

An authenticated attacker can exploit this vulnerability by sending a POST request to the /cgi-bin/admin/eventtask.cgi endpoint with a request body larger than 0x88 bytes [2]. This overflow overwrites the saved link register on the stack, allowing the attacker to redirect control flow. The binary lacks stack canaries and other memory protections, simplifying exploitation.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary commands as root on the affected Vivotek FD8136 camera [2]. This grants the attacker full control over the device.

Mitigation

Firmware version FD8136-VVTK-0300a is affected by this vulnerability [2]. Information regarding a patched firmware version or a release date for a fix is not yet disclosed in the available references. Vivotek's general product information is available [1].