VYPR
Vypr IntelligenceAI-generatedJun 24, 2026· 8 CVEs

GeoVision: Eight Vulnerabilities Including Command Injection Disclosed for GV-I/O Box 4E and GV-VMS V20

GeoVision faces disclosure of eight vulnerabilities across GV-I/O Box 4E and GV-VMS V20, including command injection and buffer overflows.

Key findings

  • Eight vulnerabilities disclosed on June 24, 2026, affect GeoVision GV-I/O Box 4E and GV-VMS V20.
  • Multiple OS command injection flaws exist in the libNetSetObj.so library of the GV-I/O Box 4E.
  • Buffer overflow vulnerabilities impact the DVRSearch service on the GV-I/O Box 4E via UDP port 10001.
  • A memory corruption vulnerability affects the GV-Cloud functionality in GV-VMS V20.
  • Exploitation could lead to arbitrary code execution or denial-of-service conditions.

On June 24, 2026, a batch of eight vulnerabilities was disclosed for GeoVision products, primarily affecting the GV-I/O Box 4E and GV-VMS V20. The vulnerabilities, disclosed on the same day, include multiple OS command injection flaws within the libNetSetObj.so library and buffer overflow vulnerabilities in the DVRSearch service, alongside a memory corruption issue in GV-Cloud. These vulnerabilities could allow attackers to execute arbitrary code or cause denial-of-service conditions.

Four of the disclosed vulnerabilities, CVE-2026-12851, CVE-2026-12850, CVE-2026-12849, and CVE-2026-12486, stem from OS command injection flaws within the libNetSetObj.so library of the GeoVision GV-I/O Box 4E running version 2.09. Attackers can exploit these by sending specially crafted network packets, leading to command execution on the affected device. The libNetSetObj.so library is an internal component used by various binary applications within the device.

Further compounding the security concerns for the GV-I/O Box 4E are three buffer overflow vulnerabilities, CVE-2026-12848, CVE-2026-12847, and CVE-2026-12485. These vulnerabilities reside within the DVRSearch service, which operates by default on the device, listening for UDP messages on port 10001. An unauthenticated user on the local network can send malicious messages to this service, triggering the buffer overflows, potentially leading to code execution or denial of service.

The batch also includes CVE-2026-12488, a memory corruption vulnerability affecting the GV-Cloud functionality within GeoVision GV-VMS V20 version 20.0.2. This vulnerability can be triggered by a specially crafted network request, resulting in a denial-of-service state. An attacker could potentially impersonate a legitimate server to exploit this flaw.

Details regarding specific patches or updated versions were not immediately available at the time of disclosure. Users of the affected GeoVision products are advised to consult official GeoVision security advisories for the latest information on mitigation and remediation. The coordinated disclosure of these vulnerabilities highlights potential risks for users relying on these devices for critical infrastructure monitoring and control.

Given the nature of these vulnerabilities, particularly the command injection and buffer overflow flaws, prompt attention from administrators managing GeoVision devices is crucial to prevent potential compromise and ensure the integrity of their systems. Further investigation into the specific impact and exploitability of each CVE is recommended.

AI-written article. Grounded in 8 CVE records listed below.