Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Web UI is network-reachable (AV:N), injection is straightforward once authenticated (AC:L), description implies a logged-in operator changing a config value (PR:L), no second-user action needed (UI:N), and command execution as root yields full C/I/A impact on the device (S:U).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionNVD
An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
AnalysisAI
Authenticated OS command injection in the DdnsSetting.cgi handler of GeoVision GV-LPC2011/LPC2211 license plate capture cameras (firmware 1.10) lets an attacker with low-privilege access to the device web interface execute arbitrary OS commands by writing a crafted value into the DDNS configuration. CVSS scores the issue 8.8 (high) with full confidentiality, integrity, and availability impact, and Talos has published an advisory (TALOS-2025-2326); no public exploit identified at time of analysis and EPSS is low at 0.17%.
Technical ContextAI
GeoVision GV-LPC2011 and GV-LPC2211 are dedicated License Plate Capture IP cameras that expose a web-based administration interface implemented as CGI scripts. The vulnerable component, DdnsSetting.cgi, accepts user-supplied Dynamic DNS configuration values and passes one or more of them into a shell-interpreted context without adequate sanitization or argument separation, the classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) pattern common in embedded Linux CGI firmware. Because DDNS clients typically invoke an external updater binary, the injected metacharacters are interpreted by /bin/sh on the camera and execute with the privileges of the web server process, which on these embedded devices is typically root.
RemediationAI
No vendor-released patch identified at time of analysis - monitor the GeoVision cyber security advisory page (https://www.geovision.com.tw/cyber_security.php) and the Talos report at https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2326 for a fixed firmware release for GV-LPC2011/LPC2211 and upgrade as soon as it ships. Until a patched firmware is available, take the cameras off any directly Internet-reachable interface and place the management VLAN behind a firewall or VPN so only trusted operator workstations can reach the web UI (trade-off: remote configuration becomes harder for legitimate admins); disable the DDNS feature in the camera if it is not strictly required, which directly removes the vulnerable code path at the cost of losing dynamic hostname resolution; and enforce strong, unique credentials and rotate any shared operator accounts to raise the bar set by the PR:L requirement. Network controls that block outbound DNS/HTTP to attacker-controlled hosts can further reduce the value of code execution but will not prevent the initial command injection.
More in Gv Lpc2011 Lpc2211
View allPrivilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute pr
Authentication bypass in GeoVision LPC2011/LPC2211 license plate camera firmware version 1.10 allows remote unauthentica
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 Web Interface enables remote attackers to execute arbitrary
Reflected cross-site scripting in GeoVision LPC2011/LPC2211 1.10 web interface (ssi.cgi) allows remote unauthenticated a
Privilege escalation in GeoVision LPC2011/LPC2211 Web Interface allows authenticated attackers to leak stored credential
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26855