CVE-2017-9828

Name of the Vulnerable Software and Affected Versions VIVOTEK Network Camera IB8369, FD8164, and FD816BA (affected versions not specified)

Description The issue is related to insufficient input processing in the /cgi-bin/admin/testserver.cgi web service of the network camera's firmware. This allows a remote attacker to execute any shell command with superuser privileges by sending a specially crafted HTTP request that uses shell metacharacters in the senderemail parameter.

Recommendations For VIVOTEK Network Camera IB8369, FD8164, and FD816BA, consider disabling the /cgi-bin/admin/testserver.cgi endpoint until a patch is available to prevent exploitation. Restrict access to the senderemail parameter in the affected API endpoint to minimize the risk of shell command injection. Avoid using the senderemail parameter in the /cgi-bin/admin/testserver.cgi endpoint until the issue is resolved.