Description
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)



#### CNetSetObj::m_F_n_Set_Net_Mask command injection

The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF



v2 = *this == 0;

if ( *this )

v2 = netmask_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr

system(v4);

return 1;

}
Published: 2026-06-24
Score: 9.1 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists within the libNetSetObj.so component used by GeoVision GV‑I/O Box 4E. The attacker can supply an unsanitized string that is passed directly to the system() call, allowing the execution of arbitrary OS commands. This vulnerability satisfies CWE‑78, poses a high confidentiality and integrity risk, and can lead to full system compromise.

Affected Systems

The affected product is the GeoVision GV‑I/O Box 4E, specifically firmware versions 2.09 and 2.12 for Linux deployments. The flaw is embedded in the internal library that configures network settings such as IP address, netmask, gateway, and DNS, and is exposed through network‑accessible services.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity. The EPSS score of 2% indicates a low but non‑zero likelihood of exploitation, and the absence of a known exploit in the KEV catalog suggests that exploitation may still be sought after. The function is reachable via the network‑exposed DVRSearch service and the Network.cgi endpoint, enabling a remote attacker to craft a malicious packet or HTTP request over an open port. No special privileges are required beyond network connectivity, making exploitation straightforward for an attacker with network access to the device.

Generated by OpenCVE AI on June 24, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GV‑I/O Box 4E firmware to the latest release where the libNetSetObj.so issue is fixed.
  • If an update is unavailable, disable or block the DVRSearch service and the Network.cgi endpoint to remove the attack surface.
  • Configure firewall rules to reject or rate‑limit packets aimed at the network configuration ports used by the vulnerable library.

Generated by OpenCVE AI on June 24, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Net_Mask command injection The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = netmask_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr system(v4); return 1; }
Title GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-i O Box 4e
Weaknesses CWE-78
CPEs cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-i O Box 4e
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Geovision Inc. Gv-i O Box 4e
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-06-24T12:53:41.973Z

Reserved: 2026-06-22T00:42:24.206Z

Link: CVE-2026-12849

cve-icon Vulnrichment

Updated: 2026-06-24T12:53:37.413Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')