CVE-2026-30652

Vulnerability

A post-authentication stack buffer overflow vulnerability exists in the set_getdido.cgi binary, which backs the /cgi-bin/dido/setdo.cgi endpoint, on Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a [2]. The vulnerability occurs when processing a POST request to this endpoint, where the raw request body is read into a fixed-size stack buffer without length validation, allowing for a buffer overflow [2].

Exploitation

An authenticated attacker can exploit this vulnerability by sending a POST request with a body larger than the approximately 0xc4 byte stack buffer to the /cgi-bin/dido/setdo.cgi endpoint [2]. This overflow can overwrite the saved link register on the stack, redirecting control flow to achieve arbitrary code execution. The binary runs as root and lacks memory protections like stack canaries, simplifying exploitation [2].

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands as the root user on the affected Vivotek FD8136 camera [2]. This grants the attacker complete control over the device.

Mitigation

This vulnerability affects firmware version FD8136-VVTK-0300a [2]. A fixed version and release date are not yet disclosed in the available references. No workarounds are provided [1, 2].