Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Single unauthenticated UDP packet triggers stack overflow on a discovery service; full RCE on an embedded device whose relays affect a separate physical/OT scope justifies S:C and C/I/A:H.
Primary rating from Vendor (GV).
CVSS VectorVendor: GV
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
IP field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
AnalysisAI
Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only UDP reachability to port 10001 on a GV-I/O Box 4E with the default-enabled DVRSearch service running; no authentication, no user interaction, and no non-default configuration are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to a real, high-priority risk: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H scores 10.0 because exploitation is remote, unauthenticated, low-complexity, and produces a scope change with full CIA impact on an embedded device that typically runs without memory protections or ASLR. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any network reachability to the device - including from a compromised endpoint on the same LAN segment - sends a single crafted UDP datagram to port 10001 containing a malformed payload that, when processed by DVRSearch and reflected into the IP-address reply field, overflows the 36-offset stack buffer. With no authentication, no user interaction, and low attack complexity per the CVSS vector, the attacker overwrites the return address to redirect execution into shellcode staged in the same datagram, gaining code execution on the embedded controller. … |
| Remediation | No vendor-released patch identified at time of analysis from the provided data; consult the GeoVision cybersecurity advisory at https://www.geovision.com.tw/cyber_security.php and the Talos report at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377 for firmware updates as they become available, and apply the fixed firmware to all GV-I/O Box 4E units once released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct a complete inventory of GeoVision GV-I/O Box 4E devices in your environment and document their network connectivity and operational criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gv I O Box 4E
View allRemote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on th
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute ar
Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute ar
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network servic
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38646
GHSA-x4j6-xvjv-qp6p