Command Injection Vulnerability in Vivotek IP7137 Camera
CVE-2025-66052

8.6HIGH

Key Information:

Vendor: Vivotek
Status: Ip7137
Vendor: CVE Published:; 9 January 2026

What is CVE-2025-66052?

The Vivotek IP7137 camera is exposed to a command injection vulnerability due to improper sanitization of the 'system_ntpIt' parameter in the '/cgi-bin/admin/setparam.cgi' endpoint. This flaw allows users with administrative privileges to execute arbitrary commands, potentially leading to unauthorized access or control of the device. Given that the product has reached its End-Of-Life phase, Vivotek has not provided any fixes or patches for this vulnerability, leaving all existing firmware versions at risk.

Affected Version(s)

IP7137 0200a

References

https://cert.pl/posts/2026/01/CVE-2025-66049

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 9, 2026
Vulnerability Reserved
Nov 21, 2025

Credit

Szymon Paszun

JSON