Impact
Multiple OS command injection vulnerabilities are present in the libNetSetObj.so component of GeoVision GV‑I/O Box 4E firmware 2.09. The affected function constructs a shell command from an attacker‑controlled IP address string and passes it to the system call without any validation. This flaw allows an attacker to inject arbitrary arguments into the command line, effectively executing any shell command on the device, giving them full control over the system. The weakness is classified as CWE‑78 and is reflected in the high CVSS score of 9.1.
Affected Systems
The vulnerability is confirmed for GeoVision Inc.’s GV‑I/O Box 4E running firmware version 2.09. Devices operating on earlier or identical firmware likely share the same code path, and the issue may also exist in the 2.12 release until a vendor update is available.
Risk and Exploitability
The flaw can be triggered remotely by sending a specially crafted network packet to the DVRSearch service or the Network.cgi endpoint, both of which are exposed over the network. Based on the description, it is inferred that the services do not require authentication. Because the command is executed with the privileges of the running service, an attacker can gain full control of the device. The CVSS score of 9.1 indicates a critical impact, and the EPSS score of 2% reflects a low but non‑zero likelihood of exploitation, while the vulnerability remains not listed in the CISA KEV catalog.
OpenCVE Enrichment