Critical Unpatched Flaw: Vivotek EOL IP Cameras Exposed to Unauthenticated RCE via Command Injection
Ddos 
The Akamai Security Intelligence and Response Team (SIRT) has uncovered a previously undocumented — and still widely exploitable — unauthenticated command-injection vulnerability in legacy Vivotek IP cameras. Originally referenced only in passing in 2019 under CVE-2019-19936, the flaw was never publicly documented and the CVE remains in RESERVED status, leaving defenders without guidance for years.
Akamai’s researchers warn that the bug, residing in the /cgi-bin/admin/eventtask.cgi endpoint, allows attackers to execute arbitrary commands without authentication, enabling full compromise of vulnerable devices.
Akamai analysts discovered the issue during a proactive firmware investigation, noting that many Vivotek models still run outdated, end-of-life firmware.
The vulnerable binary eventtask.cgi accepts user input from POST requests and passes it directly to the system shell.
By inspecting the binary with radare2 and IDA, the researchers found “the variable s is being passed to system() that contains user supplied input from the POST request.” This is the classic signature of a command-injection flaw.
The vulnerability requires no authentication, making exploitation dangerously simple.
Akamai demonstrates that “a simple curl command is all that is needed to run arbitrary commands on a vulnerable device.”
During testing on a factory-reset Vivotek FD8154-F2 camera (default user: root, password: none), researchers executed a basic uptime command through the vulnerable CGI endpoint and received valid system output.
The camera replied with:
Even more concerning, simply visiting the CGI page with curl is enough to identify vulnerable units. The report explains: “A simple curl command to eventtask.cgi that returns ‘Missing parameter’ likely means your device is vulnerable.”
Akamai SIRT found that a massive number of older Vivotek devices remain vulnerable. The report provides extensive model tables spanning:
- FD fixed dome cameras
- IB bullet cameras
- IP box/compact cameras
- CC compact panoramic units
- FE fisheye cameras
- IT industrial/transport cameras
- SD PTZ and speed-dome models
- MA/MS multisensor panoramic cameras
- VS/TB video servers and encoders
The report emphasizes: “There are a significant number of models impacted, many of them quite old and no longer supported by the vendor but still widely used in the wild.”
Firmware versions 0100c through 0305a4 are specifically identified as vulnerable — and importantly, these firmware versions have been retired and will not receive patches.
In a disturbing finding, Akamai notes that some legacy Vivotek models also ship with predictable, hard-coded passwords.
According to the report: “Some firmware models have default passwords of mpeg4soc for the root account and the user account login assigning CVE-ID CVE-2025-12592.”
Combined with the unauthenticated command injection, this dramatically increases the likelihood of device compromise in the wild.
Vivotek confirmed to Akamai that the flaw affects legacy hardware running old firmware and that the issue has been patched only in newer versions. But because the vulnerable devices are end-of-life, no retroactive fixes will be released.
Although Akamai notes that “We have not seen active exploitation of this vulnerability at the time of publication,” the ease of exploitation and the public availability of affected models suggest widespread abuse could emerge quickly.
IoT botnets, cryptomining operations, and targeted surveillance actors can all weaponize trivial command-injection bugs at scale.
Because no vendor patch will arrive for affected models, Akamai advises:
- Immediate network isolation or segmentation
- Disabling public exposure of camera interfaces
- Migrating away from unsupported firmware
- Auditing device fleets for forgotten or legacy units
Given the gravity of the flaw, organizations relying on Vivotek hardware for physical security should prioritize discovery and replacement.
Donate