Skip to main content

GeoVision LPC2011/LPC2211 EUVDEUVD-2026-26855

| CVE-2026-42364 HIGH
OS Command Injection (CWE-78)
2026-05-04 GV
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Web UI is network-reachable (AV:N), injection is straightforward once authenticated (AC:L), description implies a logged-in operator changing a config value (PR:L), no second-user action needed (UI:N), and command execution as root yields full C/I/A impact on the device (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 15, 2026 - 21:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 15, 2026 - 21:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 15, 2026 - 21:22 vuln.today
cvss_changed
Severity Changed
Jun 15, 2026 - 21:22 NVD
CRITICAL HIGH
CVSS changed
Jun 15, 2026 - 21:22 NVD
9.9 (CRITICAL) 8.8 (HIGH)
Analysis Generated
May 04, 2026 - 01:46 vuln.today
EUVD ID Assigned
May 04, 2026 - 01:15 euvd
EUVD-2026-26855
Analysis Generated
May 04, 2026 - 01:15 vuln.today
CVE Published
May 04, 2026 - 00:41 nvd
CRITICAL 9.9

DescriptionNVD

An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.

AnalysisAI

Authenticated OS command injection in the DdnsSetting.cgi handler of GeoVision GV-LPC2011/LPC2211 license plate capture cameras (firmware 1.10) lets an attacker with low-privilege access to the device web interface execute arbitrary OS commands by writing a crafted value into the DDNS configuration. CVSS scores the issue 8.8 (high) with full confidentiality, integrity, and availability impact, and Talos has published an advisory (TALOS-2025-2326); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Technical ContextAI

GeoVision GV-LPC2011 and GV-LPC2211 are dedicated License Plate Capture IP cameras that expose a web-based administration interface implemented as CGI scripts. The vulnerable component, DdnsSetting.cgi, accepts user-supplied Dynamic DNS configuration values and passes one or more of them into a shell-interpreted context without adequate sanitization or argument separation, the classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) pattern common in embedded Linux CGI firmware. Because DDNS clients typically invoke an external updater binary, the injected metacharacters are interpreted by /bin/sh on the camera and execute with the privileges of the web server process, which on these embedded devices is typically root.

RemediationAI

No vendor-released patch identified at time of analysis - monitor the GeoVision cyber security advisory page (https://www.geovision.com.tw/cyber_security.php) and the Talos report at https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2326 for a fixed firmware release for GV-LPC2011/LPC2211 and upgrade as soon as it ships. Until a patched firmware is available, take the cameras off any directly Internet-reachable interface and place the management VLAN behind a firewall or VPN so only trusted operator workstations can reach the web UI (trade-off: remote configuration becomes harder for legitimate admins); disable the DDNS feature in the camera if it is not strictly required, which directly removes the vulnerable code path at the cost of losing dynamic hostname resolution; and enforce strong, unique credentials and rotate any shared operator accounts to raise the bar set by the PR:L requirement. Network controls that block outbound DNS/HTTP to attacker-controlled hosts can further reduce the value of code execution but will not prevent the initial command injection.

Share

EUVD-2026-26855 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy