Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions.
AnalysisAI
Remote code execution in GeoVision GV-ASWeb 6.2.0 allows authenticated users with System Setting permissions to execute arbitrary commands by bypassing frontend restrictions through crafted HTTP POST requests to the ASWebCommon.srf backend endpoint. This authenticated network-accessible vulnerability achieves full system compromise (confidentiality, integrity, and availability impact) with low attack complexity. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable for risk contextualization.
Technical ContextAI
GV-ASWeb is GeoVision's access control and security management web interface, part of their ASManager suite for managing surveillance and access control systems. The vulnerability stems from CWE-94 (Improper Control of Generation of Code / Code Injection), where the backend endpoint ASWebCommon.srf fails to properly validate or sanitize input in the Notification Settings functionality. The application architecture relies on frontend restrictions to prevent command injection, but the backend lacks independent input validation, allowing authenticated users to craft malicious POST requests that bypass client-side controls and inject arbitrary commands directly into server-side execution contexts. The affected product identified by CPE cpe:2.3:a:geovision_inc.:asmanager indicates this is part of GeoVision's broader access management platform, typically deployed in enterprise physical security environments.
RemediationAI
Consult the official GeoVision security advisory at https://www.geovision.com.tw/cyber_security.php for vendor-released patches or updated versions addressing CVE-2026-7841. The advisory should specify the exact patched version to upgrade to from vulnerable GV-ASWeb 6.2.0 installations. Until patching is complete, implement compensating controls: restrict System Setting permissions to the minimum number of trusted administrators required for operational necessity, implement network segmentation to limit GV-ASWeb administrative interface access to dedicated management networks rather than general corporate or internet-accessible networks, enable comprehensive audit logging for all ASWebCommon.srf endpoint requests to detect potential exploitation attempts, and consider implementing web application firewall rules to inspect POST requests to ASWebCommon.srf for command injection patterns (though bypass potential exists given backend validation failures). Note that restricting administrative permissions may impact legitimate configuration management workflows and requires coordination with physical security operations teams.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27546
GHSA-94pq-gp68-xccr