Skip to main content

GV-VMS V20 EUVDEUVD-2026-26860

| CVE-2026-42369 CRITICAL
Out-of-bounds Write (CWE-787)
2026-05-04 GV
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 01:47 vuln.today
EUVD ID Assigned
May 04, 2026 - 01:15 euvd
EUVD-2026-26860
Analysis Generated
May 04, 2026 - 01:15 vuln.today
CVE Published
May 04, 2026 - 00:47 nvd
CRITICAL 10.0

DescriptionCVE.org

GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely.

Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the gvapi endpoint uses its own authentication mechanism via an HTTP Authorization header. It supports both Basic authentication and the Digest modes of authentication.

Stack-overflow via unbound copy of base64 decoded string

The b64decoder string is sized dynamically, but it is then copied to the Buffer stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the Buffer variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.

AnalysisAI

Remote unauthenticated code execution in GeoVision GV-VMS V20 WebCam Server allows attackers to execute arbitrary code as SYSTEM via stack buffer overflow. The gvapi endpoint bypasses standard authentication and copies base64-decoded HTTP Authorization headers into a 256-byte stack buffer without bounds checking, enabling full stack control. The WebCam Server binary is compiled without ASLR, significantly lowering exploitation complexity. CVSS 10.0 with network vector, no prerequisites, and changed scope reflecting system-level compromise. Publicly disclosed by Cisco Talos and vendor advisory available from GeoVision.

Technical ContextAI

GV-VMS V20 is GeoVision's video management software for surveillance camera aggregation and security device management. When the optional 'WebCam Server' feature is enabled, a native Windows web server exposes remote management interfaces. The affected component is the gvapi endpoint's custom authentication handler, which processes HTTP Authorization headers (both Basic and Digest modes). The vulnerability is CWE-787 (Out-of-bounds Write): base64-decoded authentication credentials are dynamically allocated to b64decoder but then character-by-character copied to a fixed 256-byte stack buffer named Buffer without size validation. The binary lacks Address Space Layout Randomization (ASLR), meaning attackers have predictable memory addresses for Return Oriented Programming (ROP) gadgets or shellcode placement. This is a classic stack-based buffer overflow in native C/C++ code where the attacker controls both the overflow data (via base64-encoded Authorization header) and can predict exploitation targets due to missing ASLR.

RemediationAI

Immediately consult GeoVision's official cyber security advisory at https://www.geovision.com.tw/cyber_security.php for vendor-released patches or mitigation guidance. Based on available data, no specific patched version number has been independently confirmed at time of analysis - verify fix version directly with GeoVision support before deploying. If immediate patching is not possible, implement these compensating controls with noted trade-offs: (1) Disable the WebCam Server feature entirely if remote web access is not operationally critical, eliminating the attack surface but losing remote monitoring capability. (2) Restrict network access to the WebCam Server to trusted IP ranges only via firewall rules or VPN, reducing exposure to authenticated administrators but not eliminating risk from compromised internal systems or authenticated attackers. (3) Deploy network-based intrusion prevention systems (IPS) with signatures detecting abnormally large HTTP Authorization headers (>400 base64 characters), though determined attackers may fragment or encode payloads to evade detection. Monitor for HTTP requests to /gvapi with Authorization headers exceeding 300 characters as potential exploitation attempts. All compensating controls are temporary - vendor patching is the only complete remediation given the fundamental code vulnerability and lack of ASLR protection.

Share

EUVD-2026-26860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy