Skip to main content

GV-IP Device Utility CVE-2026-42363

CRITICAL
Reliance on Security Through Obscurity (CWE-656)
2026-04-26 GV
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 00:30 vuln.today
Analysis Generated
Apr 27, 2026 - 00:15 vuln.today
CVE Published
Apr 26, 2026 - 23:58 nvd
CRITICAL 9.3

DescriptionCVE.org

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.

When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.

AnalysisAI

Credential disclosure in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to intercept administrator passwords via broadcast UDP traffic containing symmetric encryption keys. When administrators issue privileged commands to GeoVision IP devices, the utility broadcasts credentials encrypted with a Blowfish-derived algorithm but includes the decryption key in the same packet, enabling passive network eavesdropping to extract full device credentials. CVSS 9.3 (Critical) with scope change reflects the pivot risk from utility compromise to full device control, including IP reconfiguration and factory resets.

Technical ContextAI

The vulnerability affects the Device Authentication functionality in GeoVision's GV-IP Device Utility version 9.0.5 (CPE: cpe:2.3:a:geovision_inc.:gv-ip_device_utility:*:*:*:*:*:*:*:*), a network management tool for GeoVision IP cameras and NVR systems. The root cause is CWE-656 (Reliance on Security Through Obscurity), where the utility transmits privileged commands over UDP broadcast with credentials encrypted using a proprietary Blowfish-variant algorithm. The implementation flaw is that the symmetric encryption key travels in the same broadcast packet as the ciphertext, completely negating the cryptographic protection. This resembles hardcoded key vulnerabilities but is worse - the key is dynamically transmitted alongside encrypted data, meaning even rotating keys provides no security. Network broadcasts are inherently promiscuous-mode capturable by any LAN-connected device, making passive exploitation trivial with protocol reverse-engineering.

RemediationAI

Upgrade GeoVision GV-IP Device Utility to a patched version addressing CVE-2026-42363 per the vendor advisory at https://www.geovision.com.tw/cyber_security.php (exact fixed version not specified in provided data - consult advisory for release details). Until patching: (1) Isolate the management workstation running GV-IP Device Utility on a dedicated VLAN with strict access controls, preventing untrusted devices from sniffing broadcast traffic; (2) Use switch port security or private VLANs to prevent promiscuous mode packet capture by rogue devices; (3) Implement 802.1X network access control to authenticate all LAN-connected devices; (4) Monitor for unusual UDP broadcast traffic patterns or unauthorized packet captures using IDS/network behavior analytics. Trade-offs: Network segmentation may complicate legitimate device discovery workflows; 802.1X adds deployment complexity for camera installations. Post-patch, rotate all GeoVision device credentials assuming potential previous compromise during the vulnerable window.

Share

CVE-2026-42363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy