Executive summary The Akamai Security Intelligence and Response Team (SIRT) has identified a new vulnerability within Vivotek legacy firmware that allows remote users to inject arbitrary code into the filename supplied to upload_map.cgi . We were assigned CVE-2026-22755 .  We determined via analysis of the passwd file found in the firmware that the Vivotek legacy cameras do not appear to have passwords set. As a result, it’s likely that this vulnerability doesn’t require authentication.  Introduction The Akamai Security Intelligence and Response Team (SIRT) conducted a comprehensive analysis of Vivotek legacy firmware to address the rising threat of botnet-based distributed denial-of-service (DDoS) attacks facilitated by legacy Internet of Things (IoT) devices. Our goal was to identify and mitigate additional and previously unknown vulnerabilities that could be exploited to gain remote command injection access.…