Cyber Resilience

CVE-2025-66052

HighRCE

Published: 09 January 2026

Published
09 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0133 67.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-66052 is a high-severity OS Command Injection (CWE-78) vulnerability in Vivotek Ip7137 Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-66052 is a command injection vulnerability affecting the Vivotek IP7137 IP camera, specifically firmware version 0200a. The issue arises in the "/cgi-bin/admin/setparam.cgi" endpoint, where the "system_ntpIt" parameter is not properly sanitized, enabling command injection. All firmware versions may be vulnerable, as the product has reached its End-Of-Life phase.

An attacker with administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Due to the related CVE-2025-66050, administrative access is not protected by default, lowering the barrier for privilege escalation. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

No patches or fixes are expected, as the vendor has not responded to the CNA and the product is end-of-life. Security practitioners should isolate affected devices, restrict network access, and monitor for unauthorized administrative logins. Additional details are available in the advisory at https://cert.pl/posts/2026/01/CVE-2025-66049.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected…

more

by default, The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing CGI endpoint directly enables T1190 exploitation and arbitrary Unix shell command execution via T1059.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66049Same product: Vivotek Ip7137
CVE-2025-66050Same product: Vivotek Ip7137
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78

Affected Assets

vivotek
ip7137 firmware
0200a

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts network access to the exposed /cgi-bin/admin/setparam.cgi endpoint, directly blocking remote exploitation of the command injection.

prevent

Requires validation and sanitization of the system_ntpIt parameter, eliminating the unsanitized input that enables command injection.

prevent

Enforces authentication and authorization checks before allowing administrative access to setparam.cgi, mitigating the default unprotected admin access noted in the related CVE.

References