How is CVE-2026-30652 exploited?

Network reachability (required): The attacker must reach the camera's admin interface over the network; the vulnerable CGI endpoint is exposed via HTTP/HTTPS on the device's management plane. Authentication (required): A valid account on the camera's admin interface is required, though any low-privilege credential is sufficient to trigger the overflow. Victim interaction (not-required): No victim interaction is needed; the attacker sends a crafted request directly to the endpoint without any user involvement. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race conditions, or memory-layout dependencies on the attacker.

What is the impact of CVE-2026-30652?

The attacker gains arbitrary code execution as root on the camera, giving full control over the device's operating system and all processes running on it. All video streams, stored recordings, and credentials held on the device are readable by the attacker. The attacker can modify device configuration, disable recording, or redirect video feeds, corrupting the integrity of the surveillance system. The camera process and management interface can be crashed or rendered permanently unavailable, disrupting physical-security monitoring.

Back to search

HIGHCVE-2026-30652Published 2026-06-02Modified 2026-06-03CNA mitre

CVE-2026-30652: A remote buffer overflow vulnerability exists in the /cgi-bin/dido/setdo

A remote buffer overflow vulnerability exists in the /cgi-bin/dido/setdo.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as root on the device.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in the /cgi-bin/dido/setdo.cgi endpoint of the Vivotek FD8136 camera admin interface allows a network-reachable, authenticated attacker to execute arbitrary code as root on the device. The vulnerability is reachable over the network and requires a valid (low-privilege) account on the admin interface. Successful exploitation gives the attacker full root-level code execution on the affected camera. No upstream fix has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-30652 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Vivotek FD8136 firmware or related components.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and applying per-environment compliance policy weighting to prioritize it appropriately, routing findings to the correct team or inbox within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation of camera management interfaces are surfaced as recommendations within the platform for affected environments.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the camera's admin interface over the network; the vulnerable CGI endpoint is exposed via HTTP/HTTPS on the device's management plane.
AuthenticationRequired
A valid account on the camera's admin interface is required, though any low-privilege credential is sufficient to trigger the overflow.
Victim interactionNot required
No victim interaction is needed; the attacker sends a crafted request directly to the endpoint without any user involvement.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race conditions, or memory-layout dependencies on the attacker.

Blast Radius

The attacker gains arbitrary code execution as root on the camera, giving full control over the device's operating system and all processes running on it.
All video streams, stored recordings, and credentials held on the device are readable by the attacker.
The attacker can modify device configuration, disable recording, or redirect video feeds, corrupting the integrity of the surveillance system.
The camera process and management interface can be crashed or rendered permanently unavailable, disrupting physical-security monitoring.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is matched against customer images on every ingest cycle, covering both vendor-supplied and custom-built images that include affected Vivotek FD8136 firmware components. Because no upstream patch exists, HarborGuard monitors the advisory continuously and will surface a patched-image rebuild automatically the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a pull request against affected workloads without manual intervention. While no patch is available, HarborGuard can surface compensating-control recommendations including network-policy isolation of camera management interfaces, egress filtering to limit lateral movement from a compromised device, and flag-gating or disabling remote admin access where operationally feasible. Customers are encouraged to review their compliance policy settings to ensure HIGH-severity findings on internet-adjacent devices are routed to the appropriate team with appropriate urgency.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified