CVE-2026-35718

Vulnerability

A post-authentication path traversal vulnerability exists in the /cgi-bin/admin/downloadMedias.cgi script of VIVOTEK FD8136 running firmware version FD8136-VVTK-0300a [2]. The script is intended to allow authenticated users to download media files from /mnt/auto/ [2]. The vulnerability arises because the user-supplied path is decoded without proper escaping, and the prefix check for /mnt/auto/ can be bypassed, allowing access to arbitrary files on the device's filesystem [2].

Exploitation

An authenticated attacker needs network access to the device and must send a crafted request to the /cgi-bin/admin/downloadMedias.cgi endpoint [2]. The attacker crafts a path, such as /mnt/auto/../../../etc/passwd, which passes the initial prefix check but allows the cat command to resolve ../ sequences and access files outside the intended directory [2].

Impact

Successful exploitation allows an authenticated attacker to read arbitrary files from the device's filesystem [2]. This could include sensitive information such as /etc/passwd, network configuration files, device configuration files, and stored credentials, leading to further compromise [2].

Mitigation

Firmware version FD8136-VVTK-0300a is affected. A fixed version is not yet disclosed in the available references. No workarounds or EOL status are mentioned [1, 2].