How is CVE-2026-11845 exploited?

Network reachability (required): The attacker must reach the iVEC-IEI device's management interface over the network; there is no local-only or physical constraint on access. Authentication (required): A privileged (admin-level) account is required; the attacker must already hold or have stolen high-privilege credentials before the injection can be executed. Victim interaction (not-required): No user action or social engineering is needed; the attacker can trigger the vulnerability entirely without involving any other party. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or variable setup.

What is the impact of CVE-2026-11845?

Reads any file or secret accessible to the device's OS process, including stored credentials, configuration data, and runtime secrets. Writes or overwrites arbitrary files on the device, enabling persistent backdoors or configuration tampering. Executes commands that crash or halt virtualization workloads running on the edge device, disrupting availability of hosted services. Full command execution scope means an attacker can pivot to lateral movement within the local network segment served by the edge appliance.

Back to search

HIGHCVE-2026-11845Published 2026-06-12Modified 2026-06-12CNA twcert

CVE-2026-11845: IEI Integration Corp｜iVEC-IEI Virtualization Edge Computer - OS Command Injection

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 1.0.4
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects the iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp. The flaw is reachable over the network and requires a privileged (admin-level) account, but no interaction from any victim. A successful attacker can inject and execute arbitrary operating system commands on the device, gaining full read, write, and availability control over the affected system. A patched-image rebuild at version 1.0.4 is available on HarborGuard for environments running an affected version of iVEC TANK-XM811.

HarborGuard Coverage

Detection

Detection of CVE-2026-11845 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that incorporate affected iVEC-IEI components. Any image in a connected registry or CI pipeline carrying a vulnerable version below 1.0.4 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and weights the finding against each customer organization's configured compliance policy to determine urgency. Triage alerts are routed to the appropriate team inbox within each customer org based on image ownership and policy rules.

Available

Patch

A patched-image rebuild pinned to iVEC TANK-XM811 version 1.0.4 is available on HarborGuard for any environment where a vulnerable version is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the iVEC-IEI device's management interface over the network; there is no local-only or physical constraint on access.
AuthenticationRequired
A privileged (admin-level) account is required; the attacker must already hold or have stolen high-privilege credentials before the injection can be executed.
Victim interactionNot required
No user action or social engineering is needed; the attacker can trigger the vulnerability entirely without involving any other party.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or variable setup.

Blast Radius

Reads any file or secret accessible to the device's OS process, including stored credentials, configuration data, and runtime secrets.
Writes or overwrites arbitrary files on the device, enabling persistent backdoors or configuration tampering.
Executes commands that crash or halt virtualization workloads running on the edge device, disrupting availability of hosted services.
Full command execution scope means an attacker can pivot to lateral movement within the local network segment served by the edge appliance.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11845 activates the moment the advisory is ingested, flagging any image in a customer registry or pipeline that includes an affected iVEC TANK-XM811 version below 1.0.4. A rebuild at the fixed version 1.0.4 is available for affected environments. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes the regression test suite, and opens a pull request against impacted workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding appears in the triage queue with CVSS context and policy weighting so the responsible team can act manually. Given that exploitation requires only a privileged account with no victim interaction, organizations should also review network-policy controls to restrict access to the iVEC management interface from untrusted network segments while a patched image is prepared and deployed.

See how HarborGuard automates this

Fix available

1.0.4

Affected packages

IEI Integration Corp / iVEC TANK-XM811
< 1.0.4 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available