GV-IP Device Utility
CVE-2026-42363
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.
When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.
AnalysisAI
Credential disclosure in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to intercept administrator passwords via broadcast UDP traffic containing symmetric encryption keys. When administrators issue privileged commands to GeoVision IP devices, the utility broadcasts credentials encrypted with a Blowfish-derived algorithm but includes the decryption key in the same packet, enabling passive network eavesdropping to extract full device credentials. CVSS 9.3 (Critical) with scope change reflects the pivot risk from utility compromise to full device control, including IP reconfiguration and factory resets.
Technical ContextAI
The vulnerability affects the Device Authentication functionality in GeoVision's GV-IP Device Utility version 9.0.5 (CPE: cpe:2.3:a:geovision_inc.:gv-ip_device_utility:*:*:*:*:*:*:*:*), a network management tool for GeoVision IP cameras and NVR systems. The root cause is CWE-656 (Reliance on Security Through Obscurity), where the utility transmits privileged commands over UDP broadcast with credentials encrypted using a proprietary Blowfish-variant algorithm. The implementation flaw is that the symmetric encryption key travels in the same broadcast packet as the ciphertext, completely negating the cryptographic protection. This resembles hardcoded key vulnerabilities but is worse - the key is dynamically transmitted alongside encrypted data, meaning even rotating keys provides no security. Network broadcasts are inherently promiscuous-mode capturable by any LAN-connected device, making passive exploitation trivial with protocol reverse-engineering.
RemediationAI
Upgrade GeoVision GV-IP Device Utility to a patched version addressing CVE-2026-42363 per the vendor advisory at https://www.geovision.com.tw/cyber_security.php (exact fixed version not specified in provided data - consult advisory for release details). Until patching: (1) Isolate the management workstation running GV-IP Device Utility on a dedicated VLAN with strict access controls, preventing untrusted devices from sniffing broadcast traffic; (2) Use switch port security or private VLANs to prevent promiscuous mode packet capture by rogue devices; (3) Implement 802.1X network access control to authenticate all LAN-connected devices; (4) Monitor for unusual UDP broadcast traffic patterns or unauthorized packet captures using IDS/network behavior analytics. Trade-offs: Network segmentation may complicate legitimate device discovery workflows; 802.1X adds deployment complexity for camera installations. Post-patch, rotate all GeoVision device credentials assuming potential previous compromise during the vulnerable window.
More in Gv Ip Device Utility
View allSame weakness CWE-656 – Reliance on Security Through Obscurity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today