Impact
The vulnerability resides in the DVRSearch service of GeoVision GV‑I/O Box 4E, which processes UDP packets on port 10001. An attacker on the same network can send a specially crafted packet containing a payload larger than the allocated 1460‑byte buffer. The code copies the DNS address string into a fixed area of the local stack, overwriting the return address and other control data. If an attacker controls the written bytes, they can overwrite execution flow, potentially gaining full control of the device. The CVSS score of 10 highlights that remote code execution is feasible without authentication.
Affected Systems
Affected products are GeoVision Inc.’s GV‑I/O Box 4E smart embedded device, running firmware versions 2.09 and 2.12 on Linux. The device exposes four inputs, four relay outputs, and can be controlled via Ethernet and RS‑485. Any host on the device’s network can reach DVRSearch on UDP port 10001.
Risk and Exploitability
The CVSS rating indicates the highest severity, and the vulnerability relies on network‑level access to the device’s UDP service. Because the vulnerability is unauthenticated and allows arbitrary code execution, the risk is very high. No exploit probability (EPSS) is available, and the issue is not currently listed in CISA’s KEV catalog, but the absence of these metrics does not mitigate the threat. An attacker who can reach the network can exploit the overflow with a single crafted packet, escalating to full device compromise. The lack of authentication or ACLs on the service makes the attack vector straightforward and highly likely in unsegmented environments.
OpenCVE Enrichment