Impact
A command injection flaw exists within the libNetSetObj.so component used by GeoVision GV‑I/O Box 4E. The attacker can supply an unsanitized string that is passed directly to the system() call, allowing the execution of arbitrary OS commands. This vulnerability satisfies CWE‑78, poses a high confidentiality and integrity risk, and can lead to full system compromise.
Affected Systems
The affected product is the GeoVision GV‑I/O Box 4E, specifically firmware versions 2.09 and 2.12 for Linux deployments. The flaw is embedded in the internal library that configures network settings such as IP address, netmask, gateway, and DNS, and is exposed through network‑accessible services.
Risk and Exploitability
The CVSS score of 9.1 indicates a critical severity. The EPSS score of 2% indicates a low but non‑zero likelihood of exploitation, and the absence of a known exploit in the KEV catalog suggests that exploitation may still be sought after. The function is reachable via the network‑exposed DVRSearch service and the Network.cgi endpoint, enabling a remote attacker to craft a malicious packet or HTTP request over an open port. No special privileges are required beyond network connectivity, making exploitation straightforward for an attacker with network access to the device.
OpenCVE Enrichment