CVE-2026-30649: Buffer Overflow vulnerability in VIVOTEK INC FD8136-VVTK-0300a allows a remote attacker to execute arbitrary code via the set_getparam
Buffer Overflow vulnerability in VIVOTEK INC FD8136-VVTK-0300a allows a remote attacker to execute arbitrary code via the set_getparam.cgi component
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A buffer overflow vulnerability affects the VIVOTEK INC FD8136-VVTK-0300a network camera firmware, specifically in the set_getparam.cgi component. The flaw is reachable over the network without any authentication, meaning any attacker who can reach the device's web interface can attempt exploitation. Successful exploitation gives the attacker arbitrary code execution on the device. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available as soon as an upstream fix ships.
HarborGuard Coverage
Detection for CVE-2026-30649 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including any custom-built images that incorporate affected VIVOTEK firmware components. Coverage applies to both registry scans and in-pipeline image checks.
AvailableHarborGuard is capable of scoring this CVE at 7.3 HIGH using the published CVSS v3.1 vector and weighting it against each customer environment's compliance policy. Triage routing routes findings to the appropriate team inbox within each customer organization based on configured severity thresholds.
AvailableBecause no fix version has been published for CVE-2026-30649, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the device's web interface over the network; the vulnerable component is exposed via HTTP.
- AuthenticationNot required
No credentials are needed; the set_getparam.cgi endpoint is accessible without any login.
- Victim interactionNot required
No user or operator action is required; the attacker sends a crafted request directly to the device.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or memory-layout knowledge.
Blast Radius
- The attacker executes arbitrary code on the camera's firmware, gaining full control of the device process.
- Confidentiality impact is present: the attacker reads data accessible to the compromised process, which may include stored credentials, stream configurations, or captured video.
- Integrity impact is present: the attacker modifies firmware state, configuration files, or persisted settings on the device.
- Availability impact is present: the attacker can crash or restart the camera service, interrupting video capture and monitoring.
How HarborGuard Handles This
Available on HarborGuard: this CVE is matched against customer images on every scan cycle, flagged at HIGH severity, and routed according to each environment's compliance policy. Because no upstream fix exists yet, patched-image rebuild is not currently available; HarborGuard monitors the advisory and will generate the rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix version is published. In the interim, compensating controls worth considering include network-policy rules that restrict inbound access to the camera's web interface to trusted subnets only, egress filtering to limit lateral movement from a compromised device, and disabling remote web access to the set_getparam.cgi endpoint if the deployment model permits it.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L