Skip to main content

GeoVision GV-I/O Box 4E CVE-2026-12848

| EUVDEUVD-2026-38649 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-06-24 GV GHSA-gm83-p72p-f6jx
10.0
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

UDP service reachable on the network with no auth or interaction (AV:N/AC:L/PR:N/UI:N); memory corruption yields full code execution on the device, but no clear cross-system scope change, so S:U with C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 24, 2026 - 05:33 cve.org
CRITICAL 10.0
Analysis Generated
Jun 24, 2026 - 05:32 vuln.today

DescriptionCVE.org

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.

Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:

DNS field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:

v8 = strlen(g_network_config->dns_addr);

memcpy(&reply_buf[248], g_network_config->dns_addr, v8);

AnalysisAI

Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify GV-I/O Box on LAN via UDP scan
Delivery
Poison or set device DNS field with crafted payload
Exploit
Send UDP datagram to port 10001
Install
Trigger unbounded memcpy of DNS string onto stack
C2
Overwrite saved return address with shellcode pointer
Execute
Execute code on embedded controller
Impact
Toggle relays / pivot into OT segment

Vulnerability AssessmentAI

Exploitation Attacker must be able to send UDP packets to port 10001 on a GV-I/O Box 4E (typically same broadcast domain or a routed network with that port permitted) - DVRSearch is enabled by default, so no special configuration on the device is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H indicates network-reachable, unauthenticated, low-complexity exploitation with scope change, consistent with a UDP listener exposed to any LAN peer. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who gains a foothold on the same network segment as the I/O Box - for example via a compromised IP camera, a rogue Wi-Fi client, or an infected workstation - sends a single crafted UDP datagram to port 10001 on the device, causing the DVRSearch handler to memcpy an oversized DNS string onto the stack and overwrite the return address. With AC:L and no authentication, the attacker can pivot to executing code on the embedded controller and toggle the four relay outputs to manipulate physical equipment (door strikes, alarms, industrial actuators). …
Remediation No vendor-released patch identified at time of analysis in the supplied inputs; monitor the GeoVision security page (https://www.geovision.com.tw/cyber_security.php) and the Talos advisory (https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377) for firmware updates and apply the fixed firmware to every GV-I/O Box 4E as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12848 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy