Gv Ip Device Utility
Monthly
Credential interception in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to decrypt administrator passwords from broadcast UDP packets. The application broadcasts device commands with credentials encrypted using a modified Blowfish scheme, but includes the decryption key in the same packet - reducing security to algorithm obscurity. Attackers on the same LAN can capture these broadcasts when legitimate administrators interact with GeoVision IP cameras or devices, decrypt credentials using reverse-engineered algorithms, then gain full device control to reconfigure or factory-reset equipment. EPSS and KEV data not available; CVSS 9.3 reflects network-accessible credential disclosure requiring user interaction.
Credential disclosure in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to intercept administrator passwords via broadcast UDP traffic containing symmetric encryption keys. When administrators issue privileged commands to GeoVision IP devices, the utility broadcasts credentials encrypted with a Blowfish-derived algorithm but includes the decryption key in the same packet, enabling passive network eavesdropping to extract full device credentials. CVSS 9.3 (Critical) with scope change reflects the pivot risk from utility compromise to full device control, including IP reconfiguration and factory resets.
Credential interception in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to decrypt administrator passwords from broadcast UDP packets. The application broadcasts device commands with credentials encrypted using a modified Blowfish scheme, but includes the decryption key in the same packet - reducing security to algorithm obscurity. Attackers on the same LAN can capture these broadcasts when legitimate administrators interact with GeoVision IP cameras or devices, decrypt credentials using reverse-engineered algorithms, then gain full device control to reconfigure or factory-reset equipment. EPSS and KEV data not available; CVSS 9.3 reflects network-accessible credential disclosure requiring user interaction.
Credential disclosure in GeoVision GV-IP Device Utility 9.0.5 allows network attackers to intercept administrator passwords via broadcast UDP traffic containing symmetric encryption keys. When administrators issue privileged commands to GeoVision IP devices, the utility broadcasts credentials encrypted with a Blowfish-derived algorithm but includes the decryption key in the same packet, enabling passive network eavesdropping to extract full device credentials. CVSS 9.3 (Critical) with scope change reflects the pivot risk from utility compromise to full device control, including IP reconfiguration and factory resets.