Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for GV-I/O Box 4E by GeoVision Inc.

    CVE-2026-12851 (GCVE-0-2026-12851)

    Vulnerability from nvd – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:50
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_DNS_Addr command injection The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2) { int result; // r0 char v5[80]; // [sp+0h] [bp-50h] BYREF if ( !dns1 ) result = 0; if ( dns1 ) { sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field system(v5); if ( dns2 ) { sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2); system(v5); } return 1; } return result;
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12851",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:50:41.800146Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:50:52.147Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_DNS_Addr command injection\u003cbr\u003e\u003cbr\u003eThe following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)\n\u003cbr\u003e    {\n\u003cbr\u003e      int result; // r0\n\u003cbr\u003e      char v5[80]; // [sp+0h] [bp-50h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      if ( !dns1 )\n\u003cbr\u003e        result = 0;\n\u003cbr\u003e      if ( dns1 )\n\u003cbr\u003e      {\n\u003cbr\u003e        sprintf(v5, \"/bin/echo nameserver %s \u0026gt; /etc/resolv.conf\", dns1);  // attacker controlled dns1 field\n\u003cbr\u003e        system(v5);\n\u003cbr\u003e        if ( dns2 )\n\u003cbr\u003e        {\n\u003cbr\u003e          sprintf(v5, \"/bin/echo nameserver %s \u0026gt;\u0026gt; /etc/resolv.conf\", dns2);\n\u003cbr\u003e          system(v5);\n\u003cbr\u003e        }\n\u003cbr\u003e        return 1;\n\u003cbr\u003e      }\n\u003cbr\u003e      return result;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_DNS_Addr command injection\n\nThe following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)\n\n    {\n\n      int result; // r0\n\n      char v5[80]; // [sp+0h] [bp-50h] BYREF\n\n\n\n      if ( !dns1 )\n\n        result = 0;\n\n      if ( dns1 )\n\n      {\n\n        sprintf(v5, \"/bin/echo nameserver %s \u003e /etc/resolv.conf\", dns1);  // attacker controlled dns1 field\n\n        system(v5);\n\n        if ( dns2 )\n\n        {\n\n          sprintf(v5, \"/bin/echo nameserver %s \u003e\u003e /etc/resolv.conf\", dns2);\n\n          system(v5);\n\n        }\n\n        return 1;\n\n      }\n\n      return result;"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:26.802Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12851",
        "datePublished": "2026-06-24T03:40:26.802Z",
        "dateReserved": "2026-06-22T00:42:28.790Z",
        "dateUpdated": "2026-06-24T12:50:52.147Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12850 (GCVE-0-2026-12850)

    Vulnerability from nvd – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:52
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Gate_way command injection The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev) { char s[324]; // [sp+4h] [bp-144h] BYREF if ( !dev && !*this || !gw ) return 0; system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0"); system("/sbin/route del default "); if ( dev ) sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string else sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string system(s); sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string system(s); return 1; }
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12850",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:51:53.369783Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:52:28.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_Gate_way command injection\u003cbr\u003e\u003cbr\u003eThe following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)\n\u003cbr\u003e    {\n\u003cbr\u003e      char s[324]; // [sp+4h] [bp-144h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      if ( !dev \u0026amp;\u0026amp; !*this || !gw )\n\u003cbr\u003e        return 0;\n\u003cbr\u003e      system(\"/sbin/route del -net 224.0.0.0 netmask 224.0.0.0\");\n\u003cbr\u003e      system(\"/sbin/route del default \");\n\u003cbr\u003e      if ( dev )\n\u003cbr\u003e        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, dev); //attacker controlled gw string\n\u003cbr\u003e      else\n\u003cbr\u003e        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, *this); //attacker controlled gw string\n\u003cbr\u003e      system(s);\n\u003cbr\u003e      sprintf(s, \"/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s\", gw, *this); //attacker controlled gw string\n\u003cbr\u003e      system(s);\n\u003cbr\u003e      return 1;\n\u003cbr\u003e      }\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_Gate_way command injection\n\nThe following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)\n\n    {\n\n      char s[324]; // [sp+4h] [bp-144h] BYREF\n\n\n\n      if ( !dev \u0026\u0026 !*this || !gw )\n\n        return 0;\n\n      system(\"/sbin/route del -net 224.0.0.0 netmask 224.0.0.0\");\n\n      system(\"/sbin/route del default \");\n\n      if ( dev )\n\n        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, dev); //attacker controlled gw string\n\n      else\n\n        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, *this); //attacker controlled gw string\n\n      system(s);\n\n      sprintf(s, \"/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s\", gw, *this); //attacker controlled gw string\n\n      system(s);\n\n      return 1;\n\n      }"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:24.764Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12850",
        "datePublished": "2026-06-24T03:40:24.764Z",
        "dateReserved": "2026-06-22T00:42:27.477Z",
        "dateUpdated": "2026-06-24T12:52:28.883Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12849 (GCVE-0-2026-12849)

    Vulnerability from nvd – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:53
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Net_Mask command injection The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = netmask_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr system(v4); return 1; }
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:53:33.251382Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:53:41.973Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_Net_Mask command injection\u003cbr\u003e\u003cbr\u003eThe following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)\n\u003cbr\u003e    {\n\u003cbr\u003e      bool v2; // zf\n\u003cbr\u003e      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      v2 = *this == 0;\n\u003cbr\u003e      if ( *this )\n\u003cbr\u003e        v2 = netmask_addr == 0;\n\u003cbr\u003e      if ( v2 )\n\u003cbr\u003e        return 0;\n\u003cbr\u003e      sprintf(v4, \"/sbin/ifconfig %s netmask %s\", *this, netmask_addr);  // attacker controlled netmask_addr\n\u003cbr\u003e      system(v4);\n\u003cbr\u003e      return 1;\n\u003cbr\u003e    }\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n\n#### CNetSetObj::m_F_n_Set_Net_Mask command injection\n\nThe following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)\n\n    {\n\n      bool v2; // zf\n\n      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\n\n\n      v2 = *this == 0;\n\n      if ( *this )\n\n        v2 = netmask_addr == 0;\n\n      if ( v2 )\n\n        return 0;\n\n      sprintf(v4, \"/sbin/ifconfig %s netmask %s\", *this, netmask_addr);  // attacker controlled netmask_addr\n\n      system(v4);\n\n      return 1;\n\n    }"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:21.823Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12849",
        "datePublished": "2026-06-24T03:40:21.823Z",
        "dateReserved": "2026-06-22T00:42:24.206Z",
        "dateUpdated": "2026-06-24T12:53:41.973Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12848 (GCVE-0-2026-12848)

    Vulnerability from nvd – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:49
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### DNS field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v8 = strlen(g_network_config->dns_addr); memcpy(&reply_buf[248], g_network_config->dns_addr, v8);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12848",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:46:58.574812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:49:33.639Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e#### DNS field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e    v8 = strlen(g_network_config-\u0026gt;dns_addr);\n\u003cbr\u003e    memcpy(\u0026amp;reply_buf[248], g_network_config-\u0026gt;dns_addr, v8);\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n\n#### DNS field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n    v8 = strlen(g_network_config-\u003edns_addr);\n\n    memcpy(\u0026reply_buf[248], g_network_config-\u003edns_addr, v8);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:30.664Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12848",
        "datePublished": "2026-06-24T03:34:30.664Z",
        "dateReserved": "2026-06-22T00:26:58.083Z",
        "dateUpdated": "2026-06-24T12:49:33.639Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12847 (GCVE-0-2026-12847)

    Vulnerability from nvd – Published: 2026-06-24 03:34 – Updated: 2026-06-24 13:16
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Gateway field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v7 = strlen(g_network_config->gateway); memcpy(&reply_buf[216], g_network_config->gateway, v7);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12847",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T13:16:28.900447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T13:16:38.193Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### Gateway field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v7 = strlen(g_network_config-\u0026gt;gateway);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[216], g_network_config-\u0026gt;gateway, v7);\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Gateway field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v7 = strlen(g_network_config-\u003egateway);\n\n      memcpy(\u0026reply_buf[216], g_network_config-\u003egateway, v7);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:28.215Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12847",
        "datePublished": "2026-06-24T03:34:28.215Z",
        "dateReserved": "2026-06-22T00:26:55.874Z",
        "dateUpdated": "2026-06-24T13:16:38.193Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12846 (GCVE-0-2026-12846)

    Vulnerability from nvd – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:55
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:55:27.854943Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:55:36.396Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### Net Mask field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v6 = strlen(g_network_config-\u0026gt;net_mask);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[184], g_network_config-\u0026gt;net_mask, v6);\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Net Mask field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v6 = strlen(g_network_config-\u003enet_mask);\n\n      memcpy(\u0026reply_buf[184], g_network_config-\u003enet_mask, v6);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:25.543Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12846",
        "datePublished": "2026-06-24T03:34:25.543Z",
        "dateReserved": "2026-06-22T00:26:45.854Z",
        "dateUpdated": "2026-06-24T12:55:36.396Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12486 (GCVE-0-2026-12486)

    Vulnerability from nvd – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:54
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_IP_Addr command injection The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = ip_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address system(v4); return 1; }
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12486",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:54:03.543792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:54:13.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_IP_Addr command injection\u003cbr\u003e\u003cbr\u003eThe following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)\n\u003cbr\u003e    {\n\u003cbr\u003e      bool v2; // zf\n\u003cbr\u003e      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      v2 = *this == 0;\n\u003cbr\u003e      if ( *this )\n\u003cbr\u003e        v2 = ip_addr == 0;\n\u003cbr\u003e      if ( v2 )\n\u003cbr\u003e        return 0;\n\u003cbr\u003e      sprintf(v4, \"/sbin/ifconfig %s %s\", *this, ip_addr);  // attacker controlled ip address \n\u003cbr\u003e      system(v4);\n\u003cbr\u003e      return 1;\n\u003cbr\u003e    }\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_IP_Addr command injection\n\nThe following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)\n\n    {\n\n      bool v2; // zf\n\n      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\n\n\n      v2 = *this == 0;\n\n      if ( *this )\n\n        v2 = ip_addr == 0;\n\n      if ( v2 )\n\n        return 0;\n\n      sprintf(v4, \"/sbin/ifconfig %s %s\", *this, ip_addr);  // attacker controlled ip address \n\n      system(v4);\n\n      return 1;\n\n    }"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:19.795Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12486",
        "datePublished": "2026-06-24T03:40:19.795Z",
        "dateReserved": "2026-06-17T03:09:07.610Z",
        "dateUpdated": "2026-06-24T12:54:13.822Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12485 (GCVE-0-2026-12485)

    Vulnerability from nvd – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:56
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### IP field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v3 = strlen(g_network_config->ip_addr); memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12485",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:55:48.854235Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:56:06.131Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### IP field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v3 = strlen(g_network_config-\u0026gt;ip_addr);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[36], g_network_config-\u0026gt;ip_addr, v3);\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### IP field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v3 = strlen(g_network_config-\u003eip_addr);\n\n      memcpy(\u0026reply_buf[36], g_network_config-\u003eip_addr, v3);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:22.794Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12485",
        "datePublished": "2026-06-24T03:34:22.794Z",
        "dateReserved": "2026-06-17T03:09:05.554Z",
        "dateUpdated": "2026-06-24T12:56:06.131Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12851 (GCVE-0-2026-12851)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:50
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_DNS_Addr command injection The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2) { int result; // r0 char v5[80]; // [sp+0h] [bp-50h] BYREF if ( !dns1 ) result = 0; if ( dns1 ) { sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field system(v5); if ( dns2 ) { sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2); system(v5); } return 1; } return result;
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12851",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:50:41.800146Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:50:52.147Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_DNS_Addr command injection\u003cbr\u003e\u003cbr\u003eThe following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)\n\u003cbr\u003e    {\n\u003cbr\u003e      int result; // r0\n\u003cbr\u003e      char v5[80]; // [sp+0h] [bp-50h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      if ( !dns1 )\n\u003cbr\u003e        result = 0;\n\u003cbr\u003e      if ( dns1 )\n\u003cbr\u003e      {\n\u003cbr\u003e        sprintf(v5, \"/bin/echo nameserver %s \u0026gt; /etc/resolv.conf\", dns1);  // attacker controlled dns1 field\n\u003cbr\u003e        system(v5);\n\u003cbr\u003e        if ( dns2 )\n\u003cbr\u003e        {\n\u003cbr\u003e          sprintf(v5, \"/bin/echo nameserver %s \u0026gt;\u0026gt; /etc/resolv.conf\", dns2);\n\u003cbr\u003e          system(v5);\n\u003cbr\u003e        }\n\u003cbr\u003e        return 1;\n\u003cbr\u003e      }\n\u003cbr\u003e      return result;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_DNS_Addr command injection\n\nThe following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)\n\n    {\n\n      int result; // r0\n\n      char v5[80]; // [sp+0h] [bp-50h] BYREF\n\n\n\n      if ( !dns1 )\n\n        result = 0;\n\n      if ( dns1 )\n\n      {\n\n        sprintf(v5, \"/bin/echo nameserver %s \u003e /etc/resolv.conf\", dns1);  // attacker controlled dns1 field\n\n        system(v5);\n\n        if ( dns2 )\n\n        {\n\n          sprintf(v5, \"/bin/echo nameserver %s \u003e\u003e /etc/resolv.conf\", dns2);\n\n          system(v5);\n\n        }\n\n        return 1;\n\n      }\n\n      return result;"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:26.802Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12851",
        "datePublished": "2026-06-24T03:40:26.802Z",
        "dateReserved": "2026-06-22T00:42:28.790Z",
        "dateUpdated": "2026-06-24T12:50:52.147Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12850 (GCVE-0-2026-12850)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:52
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Gate_way command injection The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev) { char s[324]; // [sp+4h] [bp-144h] BYREF if ( !dev && !*this || !gw ) return 0; system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0"); system("/sbin/route del default "); if ( dev ) sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string else sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string system(s); sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string system(s); return 1; }
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12850",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:51:53.369783Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:52:28.883Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_Gate_way command injection\u003cbr\u003e\u003cbr\u003eThe following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)\n\u003cbr\u003e    {\n\u003cbr\u003e      char s[324]; // [sp+4h] [bp-144h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      if ( !dev \u0026amp;\u0026amp; !*this || !gw )\n\u003cbr\u003e        return 0;\n\u003cbr\u003e      system(\"/sbin/route del -net 224.0.0.0 netmask 224.0.0.0\");\n\u003cbr\u003e      system(\"/sbin/route del default \");\n\u003cbr\u003e      if ( dev )\n\u003cbr\u003e        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, dev); //attacker controlled gw string\n\u003cbr\u003e      else\n\u003cbr\u003e        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, *this); //attacker controlled gw string\n\u003cbr\u003e      system(s);\n\u003cbr\u003e      sprintf(s, \"/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s\", gw, *this); //attacker controlled gw string\n\u003cbr\u003e      system(s);\n\u003cbr\u003e      return 1;\n\u003cbr\u003e      }\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_Gate_way command injection\n\nThe following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)\n\n    {\n\n      char s[324]; // [sp+4h] [bp-144h] BYREF\n\n\n\n      if ( !dev \u0026\u0026 !*this || !gw )\n\n        return 0;\n\n      system(\"/sbin/route del -net 224.0.0.0 netmask 224.0.0.0\");\n\n      system(\"/sbin/route del default \");\n\n      if ( dev )\n\n        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, dev); //attacker controlled gw string\n\n      else\n\n        sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, *this); //attacker controlled gw string\n\n      system(s);\n\n      sprintf(s, \"/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s\", gw, *this); //attacker controlled gw string\n\n      system(s);\n\n      return 1;\n\n      }"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:24.764Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12850",
        "datePublished": "2026-06-24T03:40:24.764Z",
        "dateReserved": "2026-06-22T00:42:27.477Z",
        "dateUpdated": "2026-06-24T12:52:28.883Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12849 (GCVE-0-2026-12849)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:53
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Net_Mask command injection The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = netmask_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr system(v4); return 1; }
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:53:33.251382Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:53:41.973Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_Net_Mask command injection\u003cbr\u003e\u003cbr\u003eThe following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)\n\u003cbr\u003e    {\n\u003cbr\u003e      bool v2; // zf\n\u003cbr\u003e      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      v2 = *this == 0;\n\u003cbr\u003e      if ( *this )\n\u003cbr\u003e        v2 = netmask_addr == 0;\n\u003cbr\u003e      if ( v2 )\n\u003cbr\u003e        return 0;\n\u003cbr\u003e      sprintf(v4, \"/sbin/ifconfig %s netmask %s\", *this, netmask_addr);  // attacker controlled netmask_addr\n\u003cbr\u003e      system(v4);\n\u003cbr\u003e      return 1;\n\u003cbr\u003e    }\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n\n#### CNetSetObj::m_F_n_Set_Net_Mask command injection\n\nThe following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)\n\n    {\n\n      bool v2; // zf\n\n      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\n\n\n      v2 = *this == 0;\n\n      if ( *this )\n\n        v2 = netmask_addr == 0;\n\n      if ( v2 )\n\n        return 0;\n\n      sprintf(v4, \"/sbin/ifconfig %s netmask %s\", *this, netmask_addr);  // attacker controlled netmask_addr\n\n      system(v4);\n\n      return 1;\n\n    }"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:21.823Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12849",
        "datePublished": "2026-06-24T03:40:21.823Z",
        "dateReserved": "2026-06-22T00:42:24.206Z",
        "dateUpdated": "2026-06-24T12:53:41.973Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12486 (GCVE-0-2026-12486)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:40 – Updated: 2026-06-24 12:54
    VLAI
    Title
    GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
    Summary
    Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_IP_Addr command injection The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = ip_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address system(v4); return 1; }
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: V2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:31
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12486",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:54:03.543792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:54:13.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "V2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:31:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\u003cbr\u003e\u003cbr\u003e#### CNetSetObj::m_F_n_Set_IP_Addr command injection\u003cbr\u003e\u003cbr\u003eThe following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\u003cbr\u003e\n\u003cbr\u003e    int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)\n\u003cbr\u003e    {\n\u003cbr\u003e      bool v2; // zf\n\u003cbr\u003e      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\u003cbr\u003e\n\u003cbr\u003e      v2 = *this == 0;\n\u003cbr\u003e      if ( *this )\n\u003cbr\u003e        v2 = ip_addr == 0;\n\u003cbr\u003e      if ( v2 )\n\u003cbr\u003e        return 0;\n\u003cbr\u003e      sprintf(v4, \"/sbin/ifconfig %s %s\", *this, ip_addr);  // attacker controlled ip address \n\u003cbr\u003e      system(v4);\n\u003cbr\u003e      return 1;\n\u003cbr\u003e    }\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_IP_Addr command injection\n\nThe following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n    int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)\n\n    {\n\n      bool v2; // zf\n\n      char v4[72]; // [sp+0h] [bp-48h] BYREF\n\n\n\n      v2 = *this == 0;\n\n      if ( *this )\n\n        v2 = ip_addr == 0;\n\n      if ( v2 )\n\n        return 0;\n\n      sprintf(v4, \"/sbin/ifconfig %s %s\", *this, ip_addr);  // attacker controlled ip address \n\n      system(v4);\n\n      return 1;\n\n    }"
            }
          ],
          "impacts": [
            {
              "descriptions": [
                {
                  "lang": "en",
                  "value": "capec-10"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:40:19.795Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12486",
        "datePublished": "2026-06-24T03:40:19.795Z",
        "dateReserved": "2026-06-17T03:09:07.610Z",
        "dateUpdated": "2026-06-24T12:54:13.822Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12848 (GCVE-0-2026-12848)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:49
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### DNS field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v8 = strlen(g_network_config->dns_addr); memcpy(&reply_buf[248], g_network_config->dns_addr, v8);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12848",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:46:58.574812Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:49:33.639Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e#### DNS field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e    v8 = strlen(g_network_config-\u0026gt;dns_addr);\n\u003cbr\u003e    memcpy(\u0026amp;reply_buf[248], g_network_config-\u0026gt;dns_addr, v8);\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n\n#### DNS field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n    v8 = strlen(g_network_config-\u003edns_addr);\n\n    memcpy(\u0026reply_buf[248], g_network_config-\u003edns_addr, v8);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:30.664Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12848",
        "datePublished": "2026-06-24T03:34:30.664Z",
        "dateReserved": "2026-06-22T00:26:58.083Z",
        "dateUpdated": "2026-06-24T12:49:33.639Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12847 (GCVE-0-2026-12847)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 13:16
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Gateway field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v7 = strlen(g_network_config->gateway); memcpy(&reply_buf[216], g_network_config->gateway, v7);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12847",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T13:16:28.900447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T13:16:38.193Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### Gateway field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v7 = strlen(g_network_config-\u0026gt;gateway);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[216], g_network_config-\u0026gt;gateway, v7);\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Gateway field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v7 = strlen(g_network_config-\u003egateway);\n\n      memcpy(\u0026reply_buf[216], g_network_config-\u003egateway, v7);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:28.215Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12847",
        "datePublished": "2026-06-24T03:34:28.215Z",
        "dateReserved": "2026-06-22T00:26:55.874Z",
        "dateUpdated": "2026-06-24T13:16:38.193Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12846 (GCVE-0-2026-12846)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:55
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:55:27.854943Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:55:36.396Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### Net Mask field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v6 = strlen(g_network_config-\u0026gt;net_mask);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[184], g_network_config-\u0026gt;net_mask, v6);\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Net Mask field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v6 = strlen(g_network_config-\u003enet_mask);\n\n      memcpy(\u0026reply_buf[184], g_network_config-\u003enet_mask, v6);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:25.543Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12846",
        "datePublished": "2026-06-24T03:34:25.543Z",
        "dateReserved": "2026-06-22T00:26:45.854Z",
        "dateUpdated": "2026-06-24T12:55:36.396Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12485 (GCVE-0-2026-12485)

    Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 12:56
    VLAI
    Title
    GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
    Summary
    GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### IP field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v3 = strlen(g_network_config->ip_addr); memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-121 - Stack-based buffer overflow
    Assigner
    GV
    References
    Impacted products
    Vendor Product Version
    GeoVision Inc. GV-I/O Box 4E Affected: V2.09
    Unaffected: v2.12
    Create a notification for this product.
    Date Public
    2026-06-17 03:10
    Credits
    Philippe Laulheret of Cisco Talos Kelly Patterson of Cisco Talos Robert Sherwin of Cisco Talos
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12485",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-24T12:55:48.854235Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-24T12:56:06.131Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Linux"
              ],
              "product": "GV-I/O Box 4E",
              "vendor": "GeoVision Inc.",
              "versions": [
                {
                  "status": "affected",
                  "version": "V2.09"
                },
                {
                  "status": "unaffected",
                  "version": "v2.12"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
                      "vulnerable": false
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Philippe Laulheret of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "Kelly Patterson of Cisco Talos"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "Robert Sherwin  of Cisco Talos"
            }
          ],
          "datePublic": "2026-06-17T03:10:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### IP field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e      v3 = strlen(g_network_config-\u0026gt;ip_addr);\n\u003cbr\u003e      memcpy(\u0026amp;reply_buf[36], g_network_config-\u0026gt;ip_addr, v3);\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### IP field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v3 = strlen(g_network_config-\u003eip_addr);\n\n      memcpy(\u0026reply_buf[36], g_network_config-\u003eip_addr, v3);"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "CWE-121 Stack-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-24T03:34:22.794Z",
            "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
            "shortName": "GV"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.geovision.com.tw/cyber_security.php"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T07:34:00.000Z",
              "value": "Finder Reports Vulnerabilties to Vendor"
            }
          ],
          "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "assignerShortName": "GV",
        "cveId": "CVE-2026-12485",
        "datePublished": "2026-06-24T03:34:22.794Z",
        "dateReserved": "2026-06-17T03:09:05.554Z",
        "dateUpdated": "2026-06-24T12:56:06.131Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }