Skip to main content

GeoVision LPC2011/LPC2211 CVE-2026-42365

| EUVDEUVD-2026-26856 HIGH
Predictable from Observable State (CWE-341)
2026-05-04 GV
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable web UI, no auth or user interaction, low-complexity cookie brute force; confidentiality high via account takeover, integrity/availability not directly impacted by the bypass itself.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jun 15, 2026 - 21:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 21:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 15, 2026 - 21:22 NVD
8.6 (HIGH) 7.5 (HIGH)
Analysis Generated
May 04, 2026 - 01:46 vuln.today
EUVD ID Assigned
May 04, 2026 - 01:15 euvd
EUVD-2026-26856
Analysis Generated
May 04, 2026 - 01:15 vuln.today
CVE Published
May 04, 2026 - 00:42 nvd
HIGH 8.6

DescriptionNVD

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.

AnalysisAI

Authentication bypass in GeoVision LPC2011/LPC2211 license plate camera firmware version 1.10 allows remote unauthenticated attackers to brute-force predictable session cookies via the Web Interface and gain access to the device. The flaw stems from insufficient randomness in session token generation (CWE-341), enabling attackers to enumerate valid cookies through a crafted series of HTTP requests. No public exploit identified at time of analysis, and EPSS is low at 0.06%, but CISA SSVC rates technical impact as partial with no current exploitation observed.

Technical ContextAI

GeoVision GV-LPC2011 and GV-LPC2211 are license plate recognition (LPR) cameras commonly deployed in parking, access-control, and traffic-enforcement environments. The vulnerability lives in the embedded Web Interface used for device management. CWE-341 (Predictable from Observable State) indicates that session cookies are generated from observable or insufficiently random inputs, so an attacker who can collect or reason about a few sample cookies can predict or enumerate valid values. Because authentication state is bound entirely to the cookie, predicting a valid value is equivalent to logging in. The Talos vulnerability report TALOS-2025-2332 is the originating research advisory.

RemediationAI

No vendor-released patch identified at time of analysis; monitor the GeoVision security page at https://www.geovision.com.tw/cyber_security.php and the Talos report at https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2332 for a fixed firmware build and apply it as soon as it is published. Until a fix ships, the most effective compensating controls are to remove the Web Interface from any internet-facing network - place the cameras on a dedicated management VLAN reachable only via VPN or jump host - and to restrict TCP access to the HTTP/HTTPS management ports with a firewall ACL allowing only known administrator IPs, accepting the trade-off that remote field technicians will need VPN access. Add WAF or reverse-proxy rate-limiting and IP-based lockout in front of the cookie endpoints to slow brute-force enumeration (trade-off: may interfere with legitimate polling or NVR integrations), and rotate any credentials that may have been exposed through the device.

Share

CVE-2026-42365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy