Skip to main content

GV-I/O Box 4E CVE-2026-12485

| EUVDEUVD-2026-38646 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-06-24 GV GHSA-x4j6-xvjv-qp6p
10.0
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Single unauthenticated UDP packet triggers stack overflow on a discovery service; full RCE on an embedded device whose relays affect a separate physical/OT scope justifies S:C and C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:30 vuln.today

DescriptionCVE.org

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.

Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:

IP field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:

v3 = strlen(g_network_config->ip_addr);

memcpy(&reply_buf[36], g_network_config->ip_addr, v3);

AnalysisAI

Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover GV-I/O Box 4E on LAN
Delivery
Send crafted UDP packet to port 10001
Exploit
Overflow IP-field stack buffer in DVRSearch
Execution
Hijack saved return address
Persist
Execute shellcode on device
Impact
Control relays and pivot to OT network

Vulnerability AssessmentAI

Exploitation Exploitation requires only UDP reachability to port 10001 on a GV-I/O Box 4E with the default-enabled DVRSearch service running; no authentication, no user interaction, and no non-default configuration are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a real, high-priority risk: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H scores 10.0 because exploitation is remote, unauthenticated, low-complexity, and produces a scope change with full CIA impact on an embedded device that typically runs without memory protections or ASLR. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any network reachability to the device - including from a compromised endpoint on the same LAN segment - sends a single crafted UDP datagram to port 10001 containing a malformed payload that, when processed by DVRSearch and reflected into the IP-address reply field, overflows the 36-offset stack buffer. With no authentication, no user interaction, and low attack complexity per the CVSS vector, the attacker overwrites the return address to redirect execution into shellcode staged in the same datagram, gaining code execution on the embedded controller. …
Remediation No vendor-released patch identified at time of analysis from the provided data; consult the GeoVision cybersecurity advisory at https://www.geovision.com.tw/cyber_security.php and the Talos report at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377 for firmware updates as they become available, and apply the fixed firmware to all GV-I/O Box 4E units once released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct a complete inventory of GeoVision GV-I/O Box 4E devices in your environment and document their network connectivity and operational criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy