Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Unauthenticated OS command injection in Vivotek legacy camera firmware upload_map.cgi

IdentifiersCVE-2026-22755CWE-78

CVE-2026-22755 is a command injection vulnerability in Vivotek legacy surveillance camera firmware affecting numerous models/firmware modules (e.g., FD/FE/IB/IP/IT/MA/MS/TB series; firmware versions cited include 0100a through 0125c). The flaw is in the file upload handling path exposed via /cgi-bin/admin/upload_map.cgi: a user-controlled filename (e.g., POST_FILE_NAME) is incorporated into a command string via an unsanitized snprintf() and then executed via system(), allowing shell metacharacter injection (e.g., semicolons) and arbitrary command execution. Reports indicate the executed context is the HTTP server user, which is root on affected devices, and that many impacted legacy cameras may ship without password protection by default, making exploitation often unauthenticated.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables remote arbitrary command execution on affected cameras, reportedly as root, resulting in full device compromise/administrative control. Downstream impacts described include installation of botnet malware, data exfiltration, disruption of surveillance operations, use of the device as a pivot for lateral movement within the network, and participation in botnet-driven DDoS activity.

Mitigation

If you can’t patch tonight, do this now.

Restrict exposure of camera management/admin interfaces (including /cgi-bin/admin/upload_map.cgi) to trusted management networks/VPN only; segment/isolated VLANs for legacy camera infrastructure; deploy IDS/signatures and monitor for suspicious POST uploads/requests to upload_map.cgi (including camid parameter and anomalous filenames containing shell metacharacters); perform device inventory/audits to identify affected models and prioritize containment; monitor for anomalous process execution and unexpected outbound traffic indicative of botnet enrollment or exfiltration.

Remediation

Patch, then assume compromise.

Apply vendor firmware updates that remediate CVE-2026-22755 for all affected Vivotek models/firmware modules (fixed versions are not specified in the provided content). Where updates are not available (legacy/EOL), replace devices or remove them from service, or otherwise ensure they are not reachable from untrusted networks.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
VivotekFd8365hardware
VivotekFd8365v2hardware
VivotekFd9165hardware
VivotekFd9171hardware
VivotekFd9187hardware
VivotekFd9189hardware
VivotekFd9365hardware
VivotekFd9371hardware
VivotekFd9381hardware
VivotekFd9387hardware
VivotekFd9389hardware
VivotekFd9391hardware
VivotekFe9180hardware
VivotekFe9181hardware
VivotekFe9191hardware
VivotekFe9381hardware
VivotekFe9382hardware
VivotekFe9391hardware
VivotekFe9582hardware
VivotekIb93587lprhardware
VivotekIb9365hardware
VivotekIb9371hardware
VivotekIb9381hardware
VivotekIb9387hardware
VivotekIb9389hardware
VivotekIb939hardware
VivotekIp9165hardware
VivotekIp9171hardware
VivotekIp9172hardware
VivotekIp9181hardware
VivotekIp9191hardware
VivotekIt9389hardware
VivotekMa9321hardware
VivotekMa9322hardware
VivotekMs9321hardware
VivotekMs9390hardware
VivotekTb9330hardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

13 SOURCESView more in app
the hacker newsNews
Jan 26, 2026
⚡ Weekly Recap: Firewall Flaws, AI-Built Malware, Browser Traps, Critical CVEs & More

An unauthenticated command injection in Vivotek legacy camera firmware (upload_map.cgi filename handling) enabling remote root command execution.

Read more
risky biz rssNews
Jan 22, 2026
Improperly patched bug exploited again in Fortinet firewalls

Unauthenticated remote code execution affecting multiple (legacy framework) Vivotek IP camera models.

Read more
cyber security newsNews
Jan 22, 2026
Critical Vivotek Vulnerability Allows Remote Users to Inject Arbitrary Code

An unauthenticated command injection / remote code execution vulnerability in Vivotek legacy camera firmware via upload_map.cgi, where a crafted firmware upload filename containing shell metacharacters is passed to system(), enabling root-level command execution.

Read more
security online infoNews
Jan 22, 2026
Critical Vivotek Flaw Grants Root Access (CVE-2026-22755)

A critical unauthenticated (likely) remote command injection in Vivotek legacy camera firmware via improper sanitization of uploaded filenames to upload_map.cgi, enabling attackers to execute shell commands as root and fully compromise affected cameras.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-22755
NVD
nvd.nist.gov/vuln/detail/CVE-2026-22755
MITRE CWE · CWE-78
cwe.mitre.org
vapidlabs.com
vapidlabs.com/advisory.php?v=220
akamai.com
akamai.com/blog/security-research/command-injection-vivotek-legacy-firmware-need-to-know