CVE-2026-22755: Vivotek IP Camera RCE Vulnerability

CVE-2026-22755 Overview

CVE-2026-22755 is a critical command injection vulnerability affecting a wide range of Vivotek IP camera devices. The vulnerability stems from improper neutralization of special elements used in OS commands, allowing attackers to execute arbitrary commands on affected devices remotely without authentication. This flaw exists within the firmware modules of numerous Vivotek camera models, making it a significant security concern for organizations relying on these devices for surveillance and security monitoring.

Critical Impact

Unauthenticated attackers can remotely execute arbitrary operating system commands on affected Vivotek IP cameras, potentially leading to complete device compromise, lateral network movement, and integration into botnets.

Affected Products

• Vivotek FD Series: FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391
• Vivotek FE Series: FE9180, FE9181, FE9191, FE9381, FE9382, FE9391, FE9582
• Vivotek IB Series: IB9365, IB93587LPR, IB9371, IB9381, IB9387, IB9389, IB939
• Vivotek IP Series: IP9165, IP9171, IP9172, IP9181, IP9191
• Vivotek Additional Models: IT9389, MA9321, MA9322, MS9321, MS9390, TB9330
• Affected Firmware Versions: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c

Discovery Timeline

• January 13, 2026 - CVE-2026-22755 published to NVD
• January 13, 2026 - Last updated in NVD database

Technical Details for CVE-2026-22755

Vulnerability Analysis

This command injection vulnerability (CWE-77) allows attackers to inject and execute arbitrary operating system commands on affected Vivotek IP cameras. The vulnerability is accessible over the network without requiring authentication or user interaction, making it particularly dangerous for internet-exposed devices.

The attack surface is extensive, affecting over 30 different camera models across multiple Vivotek product lines. When exploited, an attacker can achieve complete control over the device, including the ability to modify camera configurations, access video feeds, pivot to other network resources, or incorporate the device into a botnet infrastructure.

IoT devices like IP cameras are frequently targeted by threat actors due to their typically weak security posture, infrequent patching, and persistent network connectivity. This vulnerability is especially concerning given the widespread deployment of Vivotek cameras in enterprise and critical infrastructure environments.

Root Cause

The root cause of CVE-2026-22755 is the failure to properly sanitize user-supplied input before incorporating it into operating system commands. The firmware modules fail to neutralize special characters and command separators that can be used to break out of the intended command context and inject malicious commands.

This is a classic case of improper input validation where metacharacters such as semicolons, pipes, backticks, and other shell command separators are not filtered or escaped, allowing attackers to chain arbitrary commands with legitimate operations.

Attack Vector

The vulnerability is exploitable remotely over the network. An attacker can craft malicious requests containing OS command injection payloads targeting vulnerable endpoints in the camera's web interface or API. The attack does not require authentication or any form of user interaction, making automated exploitation feasible.

The network-accessible nature of IP cameras, combined with the lack of authentication requirements, means that any camera exposed to the internet or accessible from an attacker's network position is at immediate risk. Successful exploitation grants the attacker shell access with the privileges of the web service process, which often runs with elevated permissions on embedded devices.

For detailed technical information about this vulnerability, refer to the VapidLabs Security Advisory V220.

Detection Methods for CVE-2026-22755

Indicators of Compromise

• Unexpected outbound connections from camera devices to unknown IP addresses or command-and-control servers
• Unusual process execution on camera devices, particularly shell processes spawned by web server processes
• Modified camera configurations or firmware changes not authorized by administrators
• Increased network traffic or bandwidth usage from camera devices
• Presence of unfamiliar files or scripts in camera filesystem directories

Detection Strategies

• Implement network monitoring to detect anomalous HTTP requests containing command injection patterns targeting Vivotek cameras
• Deploy intrusion detection system (IDS) rules to identify common command injection payloads such as semicolons, pipes, and shell metacharacters in web requests
• Monitor for unusual DNS queries or network connections originating from camera device IP addresses
• Enable and analyze web server access logs on cameras for suspicious request patterns

Monitoring Recommendations

• Conduct regular firmware version audits across all deployed Vivotek camera devices to identify vulnerable versions
• Implement network segmentation to isolate IoT devices like IP cameras from critical network segments
• Use network traffic analysis tools to establish baseline behavior for camera devices and alert on deviations
• Monitor for known IoT botnet communication patterns that may indicate compromised camera devices

How to Mitigate CVE-2026-22755

Immediate Actions Required

• Identify all affected Vivotek camera models and firmware versions deployed in your environment
• Immediately restrict network access to affected cameras, removing them from internet-facing exposure
• Implement network segmentation to isolate cameras from critical infrastructure and sensitive network segments
• Review camera access logs for signs of exploitation attempts or successful compromise
• Contact Vivotek support to inquire about firmware updates addressing this vulnerability

Patch Information

Organizations should monitor Vivotek's official security advisories and support channels for firmware updates that address CVE-2026-22755. Given the critical severity, applying vendor-provided patches should be treated as an urgent priority. Refer to the VapidLabs Security Advisory V220 for additional technical context.

Workarounds

• Place all affected cameras behind a firewall and restrict access to trusted IP addresses only
• Disable any unnecessary services or features on the cameras to reduce the attack surface
• Implement a VPN requirement for remote access to camera management interfaces
• Deploy a web application firewall (WAF) configured to filter command injection patterns in front of camera web interfaces
• Consider taking critical cameras offline until patches are available if the risk is deemed unacceptable

# Example: Restrict camera access using iptables (apply on network firewall)
# Allow only trusted management subnet to access camera web interface
iptables -A INPUT -p tcp -s 10.0.1.0/24 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 10.0.1.0/24 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP