Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
UDP service reachable on the network with no auth or interaction (AV:N/AC:L/PR:N/UI:N); memory corruption yields full code execution on the device, but no clear cross-system scope change, so S:U with C/I/A:H.
Primary rating from Vendor (GV).
CVSS VectorVendor: GV
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
DNS field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v8 = strlen(g_network_config->dns_addr);
memcpy(&reply_buf[248], g_network_config->dns_addr, v8);
AnalysisAI
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must be able to send UDP packets to port 10001 on a GV-I/O Box 4E (typically same broadcast domain or a routed network with that port permitted) - DVRSearch is enabled by default, so no special configuration on the device is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point to a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H indicates network-reachable, unauthenticated, low-complexity exploitation with scope change, consistent with a UDP listener exposed to any LAN peer. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains a foothold on the same network segment as the I/O Box - for example via a compromised IP camera, a rogue Wi-Fi client, or an infected workstation - sends a single crafted UDP datagram to port 10001 on the device, causing the DVRSearch handler to memcpy an oversized DNS string onto the stack and overwrite the return address. With AC:L and no authentication, the attacker can pivot to executing code on the embedded controller and toggle the four relay outputs to manipulate physical equipment (door strikes, alarms, industrial actuators). … |
| Remediation | No vendor-released patch identified at time of analysis in the supplied inputs; monitor the GeoVision security page (https://www.geovision.com.tw/cyber_security.php) and the Talos advisory (https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377) for firmware updates and apply the fixed firmware to every GV-I/O Box 4E as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gv I O Box 4E
View allStack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute ar
Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute ar
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network servic
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38649
GHSA-gm83-p72p-f6jx