CVE-2025-66052

Name of the Vulnerable Software and Affected Versions Vivotek IP7137 camera versions prior to 0200a

Description The Vivotek IP7137 camera is affected by a command injection issue. The /cgi-bin/admin/setparam.cgi API endpoint does not properly sanitize the system ntpIt parameter. This allows a user with administrative privileges to execute commands. Administrative access is not protected by default. As the product has reached its End-Of-Life phase, a fix is not expected.

Recommendations Update the firmware to a version newer than 0200a, if available. As a temporary workaround, restrict access to the /cgi-bin/admin/setparam.cgi endpoint. Avoid using the system ntpIt parameter in the affected API endpoint until the issue is resolved.