Do Son 
A new critical vulnerability has been unearthed in the firmware of Vivotek legacy cameras, potentially turning thousands of surveillance devices into obedient soldiers for botnet armies. The Akamai Security Intelligence and Response Team (SIRT) has disclosed details of CVE-2026-22755, a remote command injection flaw with a CVSS score of 9.3.
The discovery comes as security teams race to lock down legacy Internet of Things (IoT) devices, which have become the preferred infrastructure for launching massive Distributed Denial of Service (DDoS) attacks.
The vulnerability lies in how these cameras handle file uploads. Akamai researchers discovered that the firmware fails to properly sanitize filenames before processing them.
According to the report, “The Akamai Security Intelligence and Response Team (SIRT) has identified a new vulnerability within Vivotek legacy firmware that allows remote users to inject arbitrary code into the filename supplied to upload_map.cgi”.
The technical root cause is a classic command injection. The system uses a function to format a string containing the user-supplied filename and then passes it directly to the system shell. “By supplying a specially crafted filename with embedded shell commands, we can execute commands as the HTTP servers user ID, which is root”.
This means an attacker can gain complete administrative control over the camera simply by uploading a file with a malicious name.
Making matters worse, the barrier to entry for this exploit is virtually non-existent. In many cases, attackers do not even need to crack a password to get in.
“We determined via analysis of the passwd file found in the firmware that the Vivotek legacy cameras do not appear to have passwords set,” the researchers noted. “As a result, it’s likely that this vulnerability doesn’t require authentication”.
The vulnerability affects a wide range of legacy models, including the FD8365, IB9365, and IP9165 series, among others.
With root access easily available, these unpatched cameras remain a prime target for threat actors looking to expand their botnets.
Related Posts:
- Critical Unpatched Flaw: Vivotek EOL IP Cameras Exposed to Unauthenticated RCE via Command Injection
- Unpatched & Exposed: Legacy Vivotek Cameras Broadcast Live Video to All
- A New Linux Malware Hides in Plain Sight by Weaponizing File Names
- Oracle Discloses Second Hack (Client Login Data)
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
