CVE-2026-35716: Vivotek FD8136 Buffer Overflow Vulnerability

CVE-2026-35716 Overview

CVE-2026-35716 is a stack-based buffer overflow [CWE-121] in the motion_privacy.cgi binary shipped with VIVOTEK FD8136 firmware version FD8136-VVTK-0300a. Authenticated remote attackers can execute arbitrary code as root by sending an oversized n1 parameter in a POST request to /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi. All three endpoints are symbolic links to the same binary. The parameter value is copied into a fixed 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries, removing a standard exploit mitigation.

Critical Impact
Authenticated attackers can gain root-level code execution on affected VIVOTEK FD8136 IP cameras, enabling full device compromise and pivoting into the connected network.

Affected Products

VIVOTEK FD8136 IP camera (hardware)
VIVOTEK FD8136 firmware version FD8136-VVTK-0300a
All endpoints symlinked to motion_privacy.cgi (setpm.cgi, setmd.cgi, setmd_profile.cgi)

Discovery Timeline

2026-06-02 - CVE-2026-35716 published to NVD
2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-35716

Vulnerability Analysis

The vulnerability resides in the motion_privacy.cgi binary, which handles administrative HTTP POST requests on the FD8136 web management interface. When the binary processes the n1 parameter, it copies the user-supplied value into a fixed-size 0xa4-byte (164 byte) stack buffer using an unbounded copy operation. Because the binary lacks stack canaries, the saved link register on the ARM stack frame can be overwritten directly, transferring execution control to an attacker-chosen address when the function returns.

The attack requires authenticated access with administrative privileges, as the vulnerable endpoints live under the /cgi-bin/admin/ path. Once authenticated, attackers gain code execution under the root account that runs the CGI handler, providing full control over the camera firmware, video stream, and any network reachable from the device.

Root Cause

The binary uses an unsafe string copy into a fixed-size stack buffer without validating the length of the n1 POST parameter. Combined with the absence of -fstack-protector canaries during compilation, the saved link register is reachable and overwritable in a single request.

Attack Vector

Exploitation requires network reachability to the camera's web interface and valid administrator credentials. The attacker sends a single HTTP POST to any of the three symlinked endpoints with an n1 parameter exceeding 164 bytes, then leverages the link register overwrite to redirect execution. The vulnerability is described in detail in the GitHub Vulnerability Research for CVE-2026-35716.

// No verified exploit code is published. The vulnerability mechanism
// is summarized as follows:
//
// POST /cgi-bin/admin/setpm.cgi HTTP/1.1
// Authorization: Basic <admin creds>
// Content-Type: application/x-www-form-urlencoded
//
// n1=<AAAA... payload exceeding 0xa4 bytes overwriting saved LR>

Detection Methods for CVE-2026-35716

Indicators of Compromise

POST requests to /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi containing an n1 parameter longer than 164 bytes.
Unexpected outbound connections originating from FD8136 cameras to attacker-controlled hosts.
Crashes, reboots, or motion_privacy.cgi process restarts following administrative HTTP requests.
New or modified files in writable firmware partitions after a suspicious POST to the affected endpoints.

Detection Strategies

Inspect HTTP request logs from camera management proxies for oversized n1 parameter values on the three symlinked endpoints.
Apply network intrusion detection signatures that match POST bodies containing n1= followed by more than 164 bytes targeting /cgi-bin/admin/.
Correlate authentication events on FD8136 devices with subsequent administrative POSTs to identify credential abuse.

Monitoring Recommendations

Forward camera web server access logs to a centralized log platform for retention and analysis.
Baseline normal cgi-bin traffic patterns and alert on deviations in request size or frequency.
Monitor for new TCP listeners or reverse shell connections sourced from camera IP ranges.

How to Mitigate CVE-2026-35716

Immediate Actions Required

Restrict access to the FD8136 web management interface to trusted administrative networks only, using firewall rules or VLAN segmentation.
Rotate administrator credentials and disable any default or shared accounts on affected cameras.
Place FD8136 devices on an isolated network segment with no direct path to sensitive internal resources.
Audit authentication logs for unauthorized administrative sessions preceding the disclosure date.

Patch Information

No vendor advisory or patched firmware version is referenced in the NVD record at the time of publication. Consult the Vivotek Company Homepage for firmware updates and contact the vendor for FD8136-specific guidance.

Workarounds

Block external access to /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, and /cgi-bin/admin/setmd_profile.cgi at an upstream reverse proxy or web application firewall.
Enforce strong, unique administrator passwords and disable HTTP Basic authentication where alternative authentication is available.
Disable remote administration of the camera if it is not required for operational use.
Decommission and replace end-of-life FD8136 units if no patched firmware is released by the vendor.

bash

# Example: drop external traffic to the vulnerable endpoints at an upstream gateway
iptables -A FORWARD -p tcp -d <camera_ip> --dport 80 \
  -m string --algo bm --string "/cgi-bin/admin/setpm.cgi" -j DROP
iptables -A FORWARD -p tcp -d <camera_ip> --dport 80 \
  -m string --algo bm --string "/cgi-bin/admin/setmd.cgi" -j DROP
iptables -A FORWARD -p tcp -d <camera_ip> --dport 80 \
  -m string --algo bm --string "/cgi-bin/admin/setmd_profile.cgi" -j DROP