Impact
The GV‑I/O Box 4E DVRSearch service contains a stack buffer overflow that is triggered by the CMD_IP_SET command. The service copies an attacker‑controlled UDP payload into a 1460‑byte buffer and then performs a memcpy that writes beyond the buffer boundaries. This vulnerability matches CWE‑121 and can lead to arbitrary code execution or a denial‑of‑service if the overflow is successfully exploited.
Affected Systems
The vulnerability affects GeoVision Inc.’s GV‑I/O Box 4E running on Linux. Firmware versions 2.09 and 2.12 are identified as affected. The DVRSearch service listens for UDP packets on port 10001 and is enabled by default.
Risk and Exploitability
The CVSS score of 10 marks this flaw as critical, and the attack vector is inferred to be local network access because any user on the same network can send UDP messages to the exposed service. No authentication is required and the vulnerability is not listed in the CISA KEV catalog. With a lack of an EPSS score, the exact exploitation probability is unknown, but the combination of a high severity score, network reach, and lack of mitigation strongly suggests a high risk of exploitation.
OpenCVE Enrichment