Skip to main content

GV-I/O Box 4E EUVDEUVD-2026-38648

| CVE-2026-12847 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-06-24 GV GHSA-6hhf-75q4-5pc2
10.0
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Unauthenticated UDP service on the network with a trivially triggered stack overflow yielding code execution that crosses from the service to the device OS, justifying S:C and full C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:32 vuln.today

DescriptionCVE.org

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.

Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:

Gateway field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:

v7 = strlen(g_network_config->gateway);

memcpy(&reply_buf[216], g_network_config->gateway, v7);

AnalysisAI

Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to corrupt memory by sending a crafted UDP datagram to port 10001. The flaw stems from an unchecked memcpy of the device's configured gateway field into a fixed-offset reply buffer, enabling code execution on the embedded device with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach device on local network
Delivery
Plant oversized gateway value in config
Exploit
Send UDP discovery packet to port 10001
Execution
Trigger memcpy stack overflow in DVRSearch
Persist
Overwrite saved return address
Impact
Execute shellcode on embedded controller

Vulnerability AssessmentAI

Exploitation DVRSearch must be running (it is on by default on UDP/10001) and the attacker must have network reachability to that port on the GV-I/O Box 4E, plus the ability to influence the device's stored gateway field (the value copied into the stack buffer) - typically achievable by any user on the same network segment per the description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals converge on maximum severity: CVSS 10.0 with AV:N/AC:L/PR:N/UI:N/S:C and full C/I/A impact describes pre-authentication remote code execution against a network-exposed UDP service with scope change, consistent with a classic embedded stack smash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same broadcast domain as the GV-I/O Box 4E first manipulates the device's gateway configuration to contain a long malicious string, then sends a single UDP discovery packet to port 10001. The DVRSearch handler executes the vulnerable memcpy when assembling its reply, overwriting the saved return address on the stack and redirecting execution to attacker shellcode resident on the embedded controller. …
Remediation No vendor-released patch identified at time of analysis; monitor the GeoVision cybersecurity page at https://www.geovision.com.tw/cyber_security.php and TALOS-2026-2377 at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377 for firmware updates and apply the fixed image as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all GeoVision GV-I/O Box 4E devices in the network; implement firewall ACLs to restrict UDP port 10001 access to only trusted administrative networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38648 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy