Skip to main content

GeoVision GV-ASWeb CVE-2026-7841

| EUVDEUVD-2026-27546 HIGH
Code Injection (CWE-94)
2026-05-06 GV GHSA-94pq-gp68-xccr
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 07:46 vuln.today

DescriptionCVE.org

A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions.

AnalysisAI

Remote code execution in GeoVision GV-ASWeb 6.2.0 allows authenticated users with System Setting permissions to execute arbitrary commands by bypassing frontend restrictions through crafted HTTP POST requests to the ASWebCommon.srf backend endpoint. This authenticated network-accessible vulnerability achieves full system compromise (confidentiality, integrity, and availability impact) with low attack complexity. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable for risk contextualization.

Technical ContextAI

GV-ASWeb is GeoVision's access control and security management web interface, part of their ASManager suite for managing surveillance and access control systems. The vulnerability stems from CWE-94 (Improper Control of Generation of Code / Code Injection), where the backend endpoint ASWebCommon.srf fails to properly validate or sanitize input in the Notification Settings functionality. The application architecture relies on frontend restrictions to prevent command injection, but the backend lacks independent input validation, allowing authenticated users to craft malicious POST requests that bypass client-side controls and inject arbitrary commands directly into server-side execution contexts. The affected product identified by CPE cpe:2.3:a:geovision_inc.:asmanager indicates this is part of GeoVision's broader access management platform, typically deployed in enterprise physical security environments.

RemediationAI

Consult the official GeoVision security advisory at https://www.geovision.com.tw/cyber_security.php for vendor-released patches or updated versions addressing CVE-2026-7841. The advisory should specify the exact patched version to upgrade to from vulnerable GV-ASWeb 6.2.0 installations. Until patching is complete, implement compensating controls: restrict System Setting permissions to the minimum number of trusted administrators required for operational necessity, implement network segmentation to limit GV-ASWeb administrative interface access to dedicated management networks rather than general corporate or internet-accessible networks, enable comprehensive audit logging for all ASWebCommon.srf endpoint requests to detect potential exploitation attempts, and consider implementing web application firewall rules to inspect POST requests to ASWebCommon.srf for command injection patterns (though bypass potential exists given backend validation failures). Note that restricting administrative permissions may impact legitimate configuration management workflows and requires coordination with physical security operations teams.

Share

CVE-2026-7841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy