Vivotek IP7137 Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in the Vivotek IP7137 camera running firmware version 0200a. The issue arises in the '/cgi-bin/admin/setparam.cgi' endpoint, where the 'system_ntpIt' parameter is not properly sanitized. This flaw allows users with administrative privileges to execute arbitrary commands. Additionally, due to another vulnerability (CVE-2025-66050), administrative access is not secured by default. The manufacturer has not responded to the vulnerability report, and it is likely that all firmware versions are affected. As the product has reached its End-Of-Life phase, no fix is anticipated.

Impact

Exploitation of this vulnerability allows authenticated users with administrative rights to execute arbitrary commands on the camera.

Added: Jan 9, 2026, 12:22 PM

Updated: Jan 9, 2026, 12:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

1.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.8

remediation

0.0

relevance

1.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vivotek IP7137 Command Injection Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating