CVE-2025-66052 in IP7137
Summary
by MITRE • 01/09/2026
Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default, The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/15/2026
The vulnerability identified as CVE-2025-66052 represents a critical command injection flaw within Vivotek IP7137 network camera firmware version 0200a. This security weakness stems from insufficient input validation in the system_ntpIt parameter processing within the /cgi-bin/admin/setparam.cgi endpoint. The flaw allows authenticated administrative users to inject malicious commands that execute with elevated privileges on the affected device. The vulnerability is particularly concerning because it leverages a parameter that should only accept legitimate time synchronization values but instead permits arbitrary command execution through improper sanitization of user-supplied input. The lack of proper parameter validation creates an attack surface where malicious commands can be passed directly to the underlying operating system, potentially enabling full system compromise.
The technical exploitation of this vulnerability aligns with CWE-77 and CWE-94 categories, which specifically address command injection and code injection flaws respectively. Attackers can leverage this weakness to execute arbitrary system commands, potentially gaining root access to the camera's operating system, modifying system configurations, or even installing persistent backdoors. The attack vector requires administrative privileges, which are already compromised due to CVE-2025-66050, where administrative access is not protected by default. This means that an attacker could potentially gain administrative access through other means and then utilize this command injection vulnerability to escalate privileges or perform additional malicious activities. The combination of these two vulnerabilities creates a particularly dangerous scenario where initial access can be achieved without authentication, followed by privilege escalation through command injection.
The operational impact of this vulnerability extends beyond simple system compromise, as network cameras serve as critical components in security infrastructure and often contain sensitive data or provide access to restricted network segments. The affected Vivotek IP7137 camera represents a device that has reached its End-Of-Life phase, meaning that vendors are no longer providing security updates or patches for the product. This creates a significant risk for organizations that continue to operate these devices in production environments, as they become increasingly vulnerable to exploitation. The lack of vendor support for firmware updates means that organizations cannot remediate the vulnerability through standard security patching procedures, leaving them exposed to potential exploitation by threat actors. The device's role in network security infrastructure also means that compromise of such a device could provide attackers with persistent access points for lateral movement within networks, potentially enabling broader security breaches.
Organizations utilizing affected Vivotek IP7137 cameras should implement immediate mitigations to reduce the risk of exploitation. Network segmentation and access controls should be enforced to limit administrative access to these devices, while monitoring for unusual network traffic patterns or command execution attempts should be implemented. The most effective long-term solution involves replacing the affected devices with newer models that have proper input validation and security features. Security teams should also consider implementing network intrusion detection systems that can identify attempts to exploit command injection vulnerabilities. Additionally, organizations should review their asset inventory to identify all remaining devices running vulnerable firmware versions and develop a timeline for complete replacement. Due to the End-Of-Life status of the affected product, the recommended approach is to treat these devices as compromised and implement strict network controls around them while planning for their complete removal from the network infrastructure. The vulnerability demonstrates the importance of proper input validation and the risks associated with operating legacy devices without vendor support for security updates.