Skip to main content

GeoVision LPC2011/LPC2211 CVE-2026-42368

| EUVDEUVD-2026-26859 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-05-04 GV
9.9
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (GV) · only source for this CVE.

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 01:46 vuln.today
EUVD ID Assigned
May 04, 2026 - 01:15 euvd
EUVD-2026-26859
Analysis Generated
May 04, 2026 - 01:15 vuln.today
CVE Published
May 04, 2026 - 00:45 nvd
CRITICAL 9.9

DescriptionCVE.org

A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.

AnalysisAI

Privilege escalation in GeoVision LPC2011/LPC2211 1.10 web interface allows authenticated remote attackers to execute privileged operations via crafted HTTP requests. The vulnerability enables scope change (S:C) indicating potential escape from restricted web interface contexts to underlying system privileges. CVSS 9.9 (Critical) with low attack complexity and no user interaction required, making this exploitable by any authenticated user through simple web requests. No public exploit identified at time of analysis.

Technical ContextAI

GeoVision LPC2011 and LPC2211 are license plate capture cameras with embedded web management interfaces. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), indicating the web interface fails to properly enforce privilege boundaries when processing HTTP requests. This class of flaw typically arises from missing authorization checks on privileged API endpoints, insecure direct object references to administrative functions, or improper session privilege validation. The scope change (S:C) in the CVSS vector indicates the vulnerability allows breaking out of the intended security boundary, suggesting authenticated low-privilege web users can invoke administrative or system-level operations they should not access.

RemediationAI

Apply firmware updates per GeoVision's cyber security advisory at https://www.geovision.com.tw/cyber_security.php. Vendor has acknowledged the vulnerability and firmware version fixing this issue should be obtained directly from GeoVision support channels. Until patching is complete, implement network segmentation to restrict camera web interface access to trusted management VLANs only - block internet access and use VPN for remote administration. Change all default credentials to strong unique passwords immediately, as the PR:L attack vector depends on credential acquisition. Deploy intrusion detection to monitor for suspicious HTTP POST requests to administrative endpoints from low-privilege accounts. Consider disabling the web interface entirely if cameras can be managed through GeoVision's centralized management platform instead. Note that restricting network access does not eliminate risk from insider threats or lateral movement scenarios, but significantly reduces attack surface. Review all user accounts on affected cameras and apply principle of least privilege - remove unnecessary accounts and downgrade privileges where possible.

Share

CVE-2026-42368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy