Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
A deserialization vulnerability exists in the wvp-GB28181-pro project (a video streaming platform using GB28181 protocol) through version 2.7.4, specifically in the GenericFastJsonRedisSerializer implementation within the Redis configuration. The flaw allows unauthenticated remote attackers to exploit insecure deserialization through the API endpoint, potentially achieving code execution or data manipulation with low complexity. A public proof-of-concept exploit has been released on GitHub, significantly increasing the risk of active exploitation, and the vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability resides in the GenericFastJsonRedisSerializer class used in src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of wvp-GB28181-pro, a Java-based video surveillance platform implementing the GB28181 protocol standard. This component is responsible for serializing and deserializing objects stored in Redis cache. The root cause is CWE-502 (Deserialization of Untrusted Data), where the use of FastJson's generic serializer allows attackers to craft malicious serialized objects that, when deserialized by the application, can instantiate arbitrary classes and execute attacker-controlled code. The affected product is identified by CPE cpe:2.3:a:648540858:wvp-gb28181-pro:*:*:*:*:*:*:*:*, indicating all versions up to and including 2.7.4 contain this flaw. FastJson has a documented history of deserialization vulnerabilities, making its use in security-sensitive contexts particularly risky.
RemediationAI
As the vendor has not responded to the security disclosure and no official patch has been released, organizations should immediately implement compensating controls until a fix becomes available. Monitor the project's GitHub repository for updates beyond version 2.7.4 that may address this issue. In the interim, restrict network access to the wvp-GB28181-pro API endpoints using firewall rules or network segmentation to allow only trusted IP addresses. Deploy a web application firewall (WAF) with rules to detect and block malicious serialized payloads targeting Redis endpoints. Consider replacing GenericFastJsonRedisSerializer with a safer alternative such as Jackson-based serializers (GenericJackson2JsonRedisSerializer) or implementing allowlist-based deserialization filters. If possible, disable or remove the vulnerable Redis configuration component entirely if it is not critical to operations. Review application logs for suspicious API activity patterns that may indicate exploitation attempts, particularly unusual Redis operations or deserialization errors. Refer to the public exploit at https://github.com/wing3e/public_exp/issues/1 to understand attack signatures for detection engineering.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16145
GHSA-jxxw-582j-5377