What is the CVSS score of CVE-2026-7161?

CVE-2026-7161 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of GV-IP Device Utility are affected by CVE-2026-7161?

GeoVision GV-IP Device Utility 9.0.5 transmits administrator credentials in broadcast UDP packets with encryption keys embedded in the same packets, allowing network attackers on the same LAN to…

GV-IP Device Utility CVE-2026-7161

EUVD-2026-26862 CRITICAL

Reliance on Security Through Obscurity (CWE-656)

2026-05-04 GV

Information Disclosure

9.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 04, 2026 - 01:45 vuln.today

EUVD ID Assigned

May 04, 2026 - 01:15 euvd

EUVD-2026-26862

Analysis Generated

May 04, 2026 - 01:15 vuln.today

CVE Published

May 04, 2026 - 00:39 nvd

CRITICAL 9.3

DescriptionNVD

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.

When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.

AnalysisAI

Credential interception in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to decrypt administrator passwords from broadcast UDP packets. The application broadcasts device commands with credentials encrypted using a modified Blowfish scheme, but includes the decryption key in the same packet - reducing security to algorithm obscurity. …

RemediationAI

Within 24 hours: Identify all GeoVision GV-IP Device Utility 9.0.5 deployments and document affected administrator accounts; restrict network access to GeoVision devices using network segmentation (separate VLAN or firewall rules limiting broadcast traffic). Within 7 days: Implement network monitoring to detect unauthorized GeoVision device access; rotate all administrator credentials on affected devices once patching or mitigation is complete. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7161 vulnerability details – vuln.today

Back