Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Single unauthenticated UDP packet to default-listening service yields code execution; scope kept Unchanged as compromise stays within the device's security authority.
Primary rating from Vendor (GV).
CVSS VectorVendor: GV
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
Net Mask field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v6 = strlen(g_network_config->net_mask);
memcpy(&reply_buf[184], g_network_config->net_mask, v6);
AnalysisAI
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The DVRSearch service must be running and reachable on UDP/10001, which is the default configuration on GV-I/O Box 4E - no authentication, user interaction, or non-default settings are required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals converge on high real-world risk: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H means a single unauthenticated UDP packet from anywhere with network reach to the device yields full compromise with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same Layer 2 segment, VPN, or any routed network with reach to UDP/10001 sends a single crafted DVRSearch packet whose embedded net_mask field is a long attacker-controlled string. The memcpy at reply_buf[184] overflows the stack, overwriting the saved return address to redirect execution into shellcode placed elsewhere in the 1460-byte payload, granting code execution on the device with the privileges of the DVRSearch daemon; no public exploit was identified at time of analysis but the primitive is straightforward. |
| Remediation | No vendor-released patch identified at time of analysis; monitor the GeoVision security page at https://www.geovision.com.tw/cyber_security.php and the Talos advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377 for fixed firmware. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all GeoVision GV-I/O Box 4E devices; implement firewall rules blocking UDP port 10001 from untrusted networks; isolate affected devices to segmented network if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gv I O Box 4E
View allStack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on th
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute ar
Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute ar
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network servic
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38647
GHSA-4774-xxfv-2x4f