Description
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_IP_Addr command injection

The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF



v2 = *this == 0;

if ( *this )

v2 = ip_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address

system(v4);

return 1;

}
Published: 2026-06-24
Score: 9.1 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple OS command injection vulnerabilities are present in the libNetSetObj.so component of GeoVision GV‑I/O Box 4E firmware 2.09. The affected function constructs a shell command from an attacker‑controlled IP address string and passes it to the system call without any validation. This flaw allows an attacker to inject arbitrary arguments into the command line, effectively executing any shell command on the device, giving them full control over the system. The weakness is classified as CWE‑78 and is reflected in the high CVSS score of 9.1.

Affected Systems

The vulnerability is confirmed for GeoVision Inc.’s GV‑I/O Box 4E running firmware version 2.09. Devices operating on earlier or identical firmware likely share the same code path, and the issue may also exist in the 2.12 release until a vendor update is available.

Risk and Exploitability

The flaw can be triggered remotely by sending a specially crafted network packet to the DVRSearch service or the Network.cgi endpoint, both of which are exposed over the network. Based on the description, it is inferred that the services do not require authentication. Because the command is executed with the privileges of the running service, an attacker can gain full control of the device. The CVSS score of 9.1 indicates a critical impact, and the EPSS score of 2% reflects a low but non‑zero likelihood of exploitation, while the vulnerability remains not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 24, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GeoVision firmware or patch for GV‑I/O Box 4E that removes the unsanitized system call in libNetSetObj.so.
  • Place the device behind a firewall or network segment that blocks external access to the DVRSearch service and the Network.cgi endpoint, limiting the attack surface.
  • If a patch is not yet available, disable or restrict the network configuration services on the device, ensuring that remote clients cannot invoke the vulnerable functions.

Generated by OpenCVE AI on June 24, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_IP_Addr command injection The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = ip_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address system(v4); return 1; }
Title GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-i O Box 4e
Weaknesses CWE-78
CPEs cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-i O Box 4e
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Geovision Inc. Gv-i O Box 4e
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-06-24T12:54:13.822Z

Reserved: 2026-06-17T03:09:07.610Z

Link: CVE-2026-12486

cve-icon Vulnrichment

Updated: 2026-06-24T12:54:09.448Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')