Executive summary
The Akamai Security Intelligence and Response Team (SIRT) has identified an unauthenticated command injection that was previously partially disclosed in 2019. The flaw lies in the /cgi-bin/admin/eventtask.cgi parameter within Vivotek legacy firmware. It was originally assigned CVE-2019-19936, but the details were never published and the CVE remains in RESERVED status.
Vivotek has confirmed that the vulnerability impacts legacy hardware that is running old firmware and has said it’s been patched in the latest firmware.
We conducted a vulnerability test on a Vivotek Dome Camera model FD8154-F2. We purchased the camera and then reset it to manufacturer defaults before testing. The default login is root and the camera has no password set.
We have not seen active exploitation of this vulnerability at the time of publication.
Some firmware models have default passwords of mpeg4soc for the root account and the user account login assigning CVE-ID CVE-2025-12592.
Introduction
There are two ways that the Akamai Security Intelligence Response Team (SIRT) discovers, examines, and analyzes the threats active in the wild — reactively and proactively. We reverse-engineer samples that target our global network of custom honeypots, and we examine and investigate firmware to understand the underlying vulnerabilities.
With the cascading effect of patch updates, there can be several zero-days hiding in a firmware’s nooks and crannies. This can be particularly dangerous for Internet of Things (IoT) devices (such as IP cameras), which are notorious for their basic admin credentials — especially if the firmware is retired by the vendor.
Once vendors discontinue updates, these devices become permanent weak points in a network, providing attackers with exploitable entry paths that can bypass modern defenses.
The discovery
During one of these firmware investigations, I decided to look for new zero-days in publicly available Vivotek firmware since there were several versions available. The firmware I downloaded is for their legacy devices and is no longer supported by the vendor, but it is still widely used across many of their existing device models.
I used a Vivotek Dome Camera model FD8154-F2 for this analysis, reset to manufacturer defaults (Figure 1).
I focused on the /usr/share/www/cgi-bin directory to look for binaries accessible via web requests. A quick binary grep search for system gave me a few targets, the first of which was eventtask.cgi.
By looking at the binary with radare2 and then IDA you can see in the generated code in Figure 2 that the variable s is being passed to system() that contains user supplied input from the POST request.
The exploitation
A simple curl command is all that is needed to run arbitrary commands on a vulnerable device. I've redacted the details as the vulnerability will not be patched in unsupported firmware, but I’ve provided the results of executing the uptime command in Figure 3.
> POST /cgi-bin/admin/eventtask.cgi HTTP/1.1
> Host: 192.168.0.132
> User-Agent: curl/8.5.0
> Accept: */*
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Tue, 04 Jan 2000 19:24:43 GMT
< Server: Boa/0.94.14rc21
< Accept-Ranges: bytes
< Connection: close
< 19:24:43 up 3 days, 19:20, load average: 0.98, 0.53, 0.41
< Content-type: text/plain
<
Execute uptime, return code 0
The vulnerability test
By default the camera has no authentication, so a simple curl command to eventtask.cgi that returns “Missing parameter” likely means your device is vulnerable (Figure 4).
curl -v http://192.168.0.132/cgi-bin/admin/eventtask.cgi
* Trying 192.168.0.132:80...
* Connected to 192.168.0.132 (192.168.0.132) port 80
> GET /cgi-bin/admin/eventtask.cgi HTTP/1.1
> Host: 192.168.0.132
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 03 Jan 2000 01:41:09 GMT
< Server: Boa/0.94.14rc21
< Accept-Ranges: bytes
< Connection: close
< Content-type: text/plain
<
Missing parameterPrevious partial disclosure
A web search for Vivotek eventtask.cgi CVE didn’t yield any results, nor did a search in our attack logs show any previous exploitation attempts. However, it was brought to my attention that a reference to eventtask.cgi and CVE-ID was made on a Vivotek .pdf document but the details were vague and the CVE remained in a RESERVED state. It seems this vulnerability was discovered but not documented and published.
The device models that may be vulnerable
There are a significant number of models impacted, many of them quite old and no longer supported by the vendor but still widely used in the wild.
Since the swath of affected devices spans indoor, outdoor, residential, commercial, and beyond, I’ve created a series of tables to assist in identifying the various affected models to assess their vulnerability level.
Table 1 identifies the device type and typical use by prefix.
Prefix |
Device type |
Typical use |
|---|---|---|
FD |
Fixed dome camera |
Ceiling or wall-mounted domes for indoor/outdoor use |
IB |
Bullet camera |
Cylindrical cameras, often with infrared and outdoor housings |
IP |
Box/compact network camera |
Traditional rectangular box-style cameras |
CC |
Compact/panoramic camera |
180-degree panoramic or compact wall cameras |
CD |
Corner dome camera |
Anti-ligature or corner-mounted for detention/industrial use |
FE |
Fisheye camera |
360-degree panoramic hemispheric lenses |
IT |
Transport/industrial camera |
Ruggedized cameras for vehicles or transport systems |
IZ |
Zoom/PTZ camera (box style) |
Motorized zoom lenses, often indoor installations |
SD |
Speed dome/PTZ camera |
Fully motorized pan-tilt-zoom domes, often outdoor or high-end security |
MA/MS |
Multisensor camera |
Multi-lens panoramic cameras (180-degree or 360-degree views) |
MD |
Mobile/compact dome camera |
Smaller, vehicle, or ATM-type compact domes |
PD/PZ |
Pan/zoom cameras |
PT or PTZ cameras for specific deployments |
TB/VC/VS |
Video server/encoder/decoder |
For analog-to-IP video conversion or stream management |
-VVTK (suffix) |
Internal/OEM reference |
Sometimes appended by Vivotek or partners for internal use |
Table 1: Prefix, type, and typical use of Vivotek devices
Vivotek’s’s numeric series provides a rough idea of the typical resolution and generation (era), as shown in Table 2.
Series |
Typical resolution (Era) |
|---|---|
7xxx |
Early 1 MP / VGA / D1 series (2008–2012) |
8xxx |
2–5 MP range, mainstream (2013–2018) |
9xxx |
5–12 MP, AI / Smart Stream / IR (2019–2024) |
81xx / 83xx / 91xx |
Subseries within those generations (FD8136, FD9165, etc.) |
Table 2: Vivotek’s resolution and generation (era) may be indicated by series number
Vivotek device models
Table 3 identifies the vulnerable Vivotek device models.
Model |
Model |
Model |
Model |
|---|---|---|---|
AS5336E-VVTK |
BB5315-VVTK |
BD5115-VVTK |
BS5332-VVTK |
CC8130-VVTK |
CC8160-VVTK |
CC8370-HV |
CC8370-VVTK |
CC8371-HV |
CC9381-VVTK |
CD8371-HNTV |
CD8371-HNVF2 |
CD8371-VVTK |
FD7130-VVTK |
FD7131-VVTK |
FD7141-VVTK |
FD7160-VVTK |
FD8131-VVTK |
FD8133-VVTK |
FD8133-VVTK |
FD8134-VVTK |
FD8135-VVTK |
FD8136-VVTK |
FD8137-VVTK |
FD8138-H |
FD8151V-VVTK |
FD8152-VVTK |
FD8154-VVTK |
FD8161-VVTK |
FD8161-VVTK |
FD8162-VVTK |
FD8163-VVTK |
FD8164-VVTK |
FD8166A-N |
FD8166AS-VVTK |
FD8166A-VVTK |
FD8166-VVTK |
FD8167A-VVTK |
FD8167-T |
FD8167-VVTK |
FD8168-VVTK |
FD8169A_sample- |
FD8169A_sample_v2- |
FD8169A-VVTK |
FD8169-VVTK |
FD816BA-HT |
FD816BA-VVTK |
FD816B-HF2 |
FD816B-VVTK |
FD816CA-HF2 |
FD816C-HF2 |
FD8173-H |
FD8177-H |
FD8177-VVTK |
FD8179-VVTK |
FD8182-VVTK |
FD8335-VVTK |
FD8338-HV |
FD8361-VVTK |
FD8362E-VVTK |
FD8363-VVTK |
FD8365-HTV_v2_010600 |
FD8365_v2-VVTK |
FD8366-VVTK |
FD8367A-V |
FD8367A-VVTK |
FD8367-TV |
FD8367-V |
FD8369A-V |
FD8369A-VVTK |
FD836BA-VVTK |
FD836B-VVTK |
FD836B-VVTK_vml3 |
FD8372-VVTK |
FD8373-EHV |
FD8379-HV |
FD8382-VVTK |
FD8X69A-FD8X67A |
FD8x6BA,IB836BA-VVTK |
FD8X6B-IB836B_0101l |
FD8x82,IB8382-VVTK |
FD8x82-VVTK |
FD9165-HT |
FD9167-H |
FD9167-HT |
FD9167-VVTK |
FD9171-HT |
FD9171-VVTK |
FD9181-VVTK |
FD9187-H |
FD9187-HT |
FD9187-VVTK |
FD9189-VVTK |
FD9360-VVTK |
FD9365-(E)HTV |
FD9365-HTV |
FD9365-VVTK |
FD9367-VVTK |
FD9368-VVTK |
FD9371-HTV |
FD9371-VVTK |
FD9380-VVTK |
FD9381-VVTK |
FD9387-HTV |
FD9387-HV |
FD9387_sample_42331 |
FD9388-HTV |
FD9388-VVTK |
FD9389-VVTK |
FD9391-EHTV |
FD9x67-VVTK |
FE8171-VVTK |
FE8171V-VVTK |
FE8172-VVTK |
FE8172-VVTK |
FE8173-VVTK |
FE8174-VVTK |
FE8180-VVTK |
FE8181-VVTK |
FE8182-VVTK |
FE9180-VVTK |
FE9181-H |
FE9181-VVTK |
FE9182-VVTK |
FE9191-VVTK |
FE9381-VVTK |
FE9382-VVTK |
FE9391-VVTK |
FE9582-VVTK |
IB8156-VVTK |
IB8168-VVTK |
IB8338-H |
IB8354-VVTK |
IB8360-VVTK |
IB8360-W |
IB8367A-VVTK |
IB8367-T |
IB8367-VVTK |
IB8369A-VVTK |
IB8369-VVTK |
IB836BA-HT |
IB836BA-VVTK |
IB8373-EH |
IB8377-H |
IB8377HT-VVTK |
IB8379-VVTK |
IB8382-F3 |
IB8382-T |
IB8382-VVTK |
IB9360-VVTK |
IB9365_87_LPR-W_49663_1 |
IB9365-EHT |
IB9365-EHT_0113a_sampleforiris |
IB9365-HT |
IB9365-LPR |
IB9367-H |
IB9367-HT |
IB9367-VVTK |
IB9368-VVTK |
IB9371-VVTK |
IB9380-VVTK |
IB9381-VVTK |
IB9387-H |
IB9387-HT |
IB9387-LPR |
IB9387-LPR_fixed |
IB9387-VVTK |
IB9388-VVTK |
IB9389-VVTK |
IB9391-EHT |
IB9391-VVTK |
IP7130-VVTK |
IP7138-VVTK |
IP7142-VVTK |
IP7151-VVTK |
IP7152-VVTK |
IP7153-VVTK |
IP7154-VVTK |
IP7160-VVTK |
IP7161-VVTK |
IP7330-VVTK |
IP7361-VVTK |
IP8130-VVTK |
IP8131-VVTK |
IP8131W-VVTK |
IP8132-VVTK |
IP813x-VVTK |
IP8151-VVTK |
IP8152-VVTK |
IP8152-VVTM |
IP8160_1 |
IP8160-VVTK |
IP8160-W |
IP8160W-VVTK |
IP8161-VVTK |
IP8162-VVTK |
IP8166-VVTK |
IP8172-VVTK |
IP8330-VVTK |
IP8331-VVTK |
IP8331-VVTK |
IP8332-VVTK |
IP8335-VVTK |
IP8336-VVTK |
IP8337-VVTK |
IP8352-VVTK |
IP8362-VVTK |
IP8364-VVTK |
IP8372-VVTK |
IP9165-0100f_013 |
IP9165-0100f_016 |
IP9165-0100f_017 |
IP9165-0100f_018 |
IP9165-0100f_019 |
IP9165-0100f_020 |
IP9165-VVTK |
IP9167-HT |
IP9167-VVTK |
IP9171-HP |
IP9171-VVTK |
IP9172-LPC |
IP9181-VVTK |
IP9191-VVTK |
IT9360-VVTK |
IT9368-VVTK |
IT9380-VVTK |
IT9388-VVTK |
IT9389-VVTK |
IZ9361-EH |
IZ9361-VVTK |
MA8391-VVTK |
MA9321-VVTK |
MA9322-VVTK |
MD7560-COGN |
MD7560-VVTK |
MD8531-VVTK |
MD8562-VVTK |
MD8563-EHF2 |
MD8563-EHF4 |
MD8563-VVTK |
MD8565-N |
MS8391-VVTK |
MS9321-VVTK |
MS9390-HV |
MS9390-VVTK |
PD8136-VVTK |
pt8133-VVTK |
PT8133-VVTK |
PZ7131-VVTK |
PZ71X1-VVTK |
PZ71X2-VVTK |
PZ81XX-VVTK |
SD81X1-VVTK |
SD8332E-VVTK |
SD8333-E |
SD8362-VVTK |
SD8363E-VVTK |
SD8363-VVTK |
SD8364E-VVTK |
SD8364-VVTK |
SD83X3-VVTK |
SD83X6E-VVTK |
SD83X6-VVTK |
SD9161-H |
SD9361(2)-EH(L) |
SD9361-EHL |
SD9361-VVTK |
SD9362(4)(6)-EH |
SD9362-EH |
SD9362-EHL |
SD9362-EHL_37544_010600 |
SD9362-VVTK |
SD9363(4)-EH(L) |
SD9363-EHL |
SD9363-VVTK |
SD9364-EH |
SD9364-EHL |
SD9364_v2-VVTK |
SD9364-VVTK |
SD9365(6)-EH(L) |
SD9365-EHL |
SD9365-VVTK |
SD9366-EHL |
SD9366_v2-VVTK |
SD9366-VVTK |
SF8172-VVTK |
TB9330-VVTK |
VC8101-VVTK |
VS8100-v2 |
VS8100-V2 |
VS8100-v2_sample_41102 |
VS8100-VVTK |
VS8101-VTPE |
VS8101-VVTK |
VS8102-AGVI |
vs8102-VVTK |
VS8102-VVTK |
VS8401-VVTK |
VS8801-VVTK |
VVTK-IB938 |
Table 3: The Vivotek devices that are affected (Note: Firmware versions 0100c through 0305a4 are vulnerable; these versions have been retired by the vendor and will not be updated)
Camera models with default password
Table 4 identifies the vulnerable Vivotek device models with the default password of mpeg4soc.
FD7131-VVTK-0100g |
FD7131-VVTK-0201c |
FD7131-VVTK-0300b |
FD7141-VVTK-0200a |
IP7131-VVTK-0200a |
IP7133-VVTK-0201a |
IP7133-VVTK-0202a |
IP7133-VVTK-0203a |
IP7134-VVTK-0202a |
IP7135-VVTK-0100i |
IP7135-VVTK-0101b |
IP7135-VVTK-0199z |
IP7135-VVTK-0400a |
IP7137-VVTK-0199z |
IP7137-VVTK-0200a |
IP7137-VVTK-0202b |
IP7137-VVTK-0300a |
IP7137-VVTK-0302a |
IP7137-VVTK-0401a |
IP7138-VVTK-0201k |
IP7142-VVTK-0300a |
IP7142-VVTK-0302c |
IP7151-VVTK-0200g |
IP7152-VVTK-0200c |
IP7153-VVTK-0200c |
IP7153-VVTK-0300a |
IP7154-VVTK-0200a |
IP7330-VVTK-0101c |
IP7330-VVTK-0200b |
IP7330-VVTK-0300b |
IP8131-VVTK-0100e1 |
IP8131-VVTK-0100e2 |
IP8131-VVTK-0100f |
IP8131W-VVTK-0100e |
PT7135-VVTK-0400a |
PT7137-TCON-0101b |
PT7137-VVTK-0400a |
PT7137-VVTK-0400b |
PT7137-VVTK-0500a |
PT7137-VVTK-0500b |
PZ7131-VVTK-0100b |
PZ7131-VVTK-0200a |
PZ71X1-VVTK-0201a |
PZ71X1-VVTK-0201a1 |
PZ71X2-VVTK-0201a |
SD73X3-VVTK-0102a |
SD73X3-VVTK-0103c |
SD73X3-VVTK-0103cb |
TC5330-VVTK-0200a |
TC5332-TCVV-0101b |
TC5333-TCVV-0101b |
TC5633-TCVV-0200a |
TC5633-VVTK-0200a |
VS7100-VVTK-0101e |
VS7100-VVTK-0200c |
VS7100-VVTK-0301b3 |
Table 4. List of devices with default password of mpeg4soc
YARA rule
Figure 5 shows the YARA rule to match on exploitation attempts.
rule EventTask_CGI_CVE_2019_19936_HTTP
{
meta:
author = "Akamai SIRT"
purpose = "detection of requests/logs referencing eventtask.cgi exploitation"
strings:
$endpoint = "/cgi-bin/admin/eventtask.cgi" nocase
$token = "eventtask" nocase
$method = "method=" nocase
$file = "file=" nocase
$execword = "exec" nocase
condition:
// match the endpoint/token plus at least one exec-ish indicator,
// OR match method/file plus exec/system tokens (covers truncated lines)
( ($endpoint or $token) and ( $method or $file or $execword )
or ( $method and ($file or $execword) ))
}Conclusion
Legacy IoT devices continue to pose a significant threat to security as they age and stop being supported by manufacturers. Many of these devices — from cameras and routers to industrial sensors and smart home equipment — were designed with limited security features and often rely on outdated firmware that is no longer maintained or patched against newly discovered vulnerabilities.
Once vendors discontinue updates, these devices become permanent weak points in a network, providing attackers with exploitable entry paths that can bypass modern defenses. Legacy IoT devices are frequently deployed in critical environments where replacement is costly or operationally disruptive, leading organizations to keep them online despite the risks.
As a result, unpatched legacy IoT systems remain a persistent attack surface that can be leveraged for data breaches, lateral movement, or inclusion in botnets — making their identification, isolation, or secure retirement a crucial part of modern cybersecurity strategy.
Tags
