Skip to main content

GV-IP Device Utility EUVDEUVD-2026-26862

| CVE-2026-7161 CRITICAL
Reliance on Security Through Obscurity (CWE-656)
2026-05-04 GV
9.3
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

Primary rating from Vendor (GV) · only source for this CVE.

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 01:45 vuln.today
EUVD ID Assigned
May 04, 2026 - 01:15 euvd
EUVD-2026-26862
Analysis Generated
May 04, 2026 - 01:15 vuln.today
CVE Published
May 04, 2026 - 00:39 nvd
CRITICAL 9.3

DescriptionCVE.org

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.

When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.

AnalysisAI

Credential interception in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to decrypt administrator passwords from broadcast UDP packets. The application broadcasts device commands with credentials encrypted using a modified Blowfish scheme, but includes the decryption key in the same packet - reducing security to algorithm obscurity. Attackers on the same LAN can capture these broadcasts when legitimate administrators interact with GeoVision IP cameras or devices, decrypt credentials using reverse-engineered algorithms, then gain full device control to reconfigure or factory-reset equipment. EPSS and KEV data not available; CVSS 9.3 reflects network-accessible credential disclosure requiring user interaction.

Technical ContextAI

GV-IP Device Utility is GeoVision's management software for IP cameras and video surveillance devices. The vulnerability stems from CWE-656 (Reliance on Security Through Obscurity) in the UDP broadcast protocol used for privileged device commands. The application encrypts credentials with a custom Blowfish-derivative cipher but transmits the symmetric decryption key within the same UDP broadcast packet. This violates fundamental cryptographic principles - symmetric encryption security depends on key secrecy, not algorithm secrecy. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-accessible attack with low complexity requiring user interaction (admin must send a command) and changed scope (credential compromise affects the managed device, not just the utility). The 'N' in Authentication (PR:N) means the attacker needs no credentials to intercept broadcasts, only LAN access.

RemediationAI

Update GV-IP Device Utility to the patched version specified in GeoVision's advisory at https://www.geovision.com.tw/cyber_security.php (specific patched version number not provided in available data - consult vendor page for exact release). If immediate patching is not feasible, implement network segmentation: isolate the management workstation running GV-IP Device Utility and all managed GeoVision devices on a dedicated VLAN with no access from general user networks, guest WiFi, or IoT segments. This limits attacker positioning to the broadcast domain. Additionally, use switched network infrastructure with IGMP snooping to prevent broadcast traffic from propagating beyond necessary ports, and enable port security to restrict unauthorized devices from joining the management VLAN. These controls reduce attacker opportunity to capture broadcasts but do NOT fix the cryptographic flaw - they only limit exposure. Trade-off: network segmentation may complicate legitimate remote management and require VPN access for administrators. Long-term: replace weak Blowfish-derivative authentication with TLS-protected API calls or certificate-based device authentication in future GeoVision product versions.

Share

EUVD-2026-26862 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy