CVE-2024-26548

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This critical vulnerability in Vivotek Network Camera firmware allows remote attackers to execute arbitrary code by sending a crafted payload to the upload_file.cgi component. Attackers can gain full control of affected cameras without authentication. Organizations using Vivotek FD8166A cameras with vulnerable firmware are affected.

💻 Affected Systems

Products:

• Vivotek Network Camera FD8166A

Versions: Firmware version FD8166A-VVTK-0204j

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other Vivotek models may have similar vulnerabilities but not confirmed.

📦 What is this software?

Camera Firmware by Vivotek

View all CVEs affecting Camera Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of camera system leading to persistent access, lateral movement to internal networks, video surveillance disruption, and potential data exfiltration.

🟠

Likely Case

Camera takeover enabling video stream interception, denial of service, or use as pivot point for further attacks.

🟢

If Mitigated

Limited impact if cameras are isolated in separate VLANs with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication on exposed cameras.

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public analysis available showing exploitation details; trivial to exploit with basic scripting knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Vivotek website for security advisories
2. If patch available, download firmware update
3. Backup camera configuration
4. Upload new firmware via web interface
5. Reboot camera
6. Verify firmware version

🔧 Temporary Workarounds

Network Segmentation

all

Isolate cameras in separate VLAN with strict firewall rules

Access Control

linux

Block external access to camera web interface and restrict internal access

Copy

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

• Deploy network-based IPS/IDS rules to detect and block exploitation attempts
• Implement strict outbound filtering to prevent command and control communication

🔍 How to Verify

Check if Vulnerable:

Copy

Check firmware version in camera web interface: System > Information > Firmware Version

Check Version:

Copy

curl -s http://camera-ip/cgi-bin/param.cgi?action=list&group=SYSTEM_INFO | grep Firmware

Verify Fix Applied:

Copy

Verify firmware version is different from FD8166A-VVTK-0204j after update

📡 Detection & Monitoring

Log Indicators:

• HTTP POST requests to /cgi-bin/upload_file.cgi with unusual payloads
• System log entries showing unexpected process execution

Network Indicators:

• HTTP traffic to camera port 80/443 with POST to upload_file.cgi
• Unusual outbound connections from camera IP

SIEM Query:

Copy

source="camera_logs" AND (uri="/cgi-bin/upload_file.cgi" OR process="malicious_payload")

📊 Metadata

CVE ID: CVE-2024-26548

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: February 29, 2024

Last Updated: May 13, 2025

🔗 References

• https://github.com/cwh031600/vivotek/blob/main/vivotek-FD8166A-uploadfile-dos/vivotek-FD8166A-uploadfile-analysis.md Broken Link
• https://github.com/cwh031600/vivotek/blob/main/vivotek-FD8166A-uploadfile-dos/vivotek-FD8166A-uploadfile-analysis.md Broken Link

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON