Description
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_Gate_way command injection

The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.





int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)

{

char s[324]; // [sp+4h] [bp-144h] BYREF



if ( !dev && !*this || !gw )

return 0;

system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");

system("/sbin/route del default ");

if ( dev )

sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string

else

sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

return 1;

}
Published: 2026-06-24
Score: 9.1 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from unsanitized gateway strings handed to the system() call in the libNetSetObj.so library of GeoVision GV-I/O Box 4E, allowing an attacker to execute arbitrary commands on the device with full privileges. An adversary could modify routing tables, interrupt network services, or install malware, effectively gaining remote control over the device.

Affected Systems

GeoVision Inc.’s GV‑I/O Box 4E running firmware version 2.09. The flaw is triggered via the DVRSearch service and the Network.cgi endpoint, which are exposed over the network.

Risk and Exploitability

With a CVSS score of 9.1, the vulnerability is high severity. The EPSS score is 2%, and the issue has not been listed in CISA KEV. It is inferred that the attack vector is network‑exposed, requiring the attacker to reach the device over an accessible interface such as the DVRSearch TCP service or the HTTP endpoint. Successful exploitation grants unrestricted command execution, making the risk significant for any network‑connected deployment.

Generated by OpenCVE AI on June 24, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest GeoVision firmware that fixes the command‑injection flaw.
  • If a patch is not available, restrict or block all inbound traffic to the DVRSearch service and the Network.cgi endpoint from untrusted networks.
  • Continuously monitor device logs for unexpected system command executions or routing changes, and isolate the device from critical infrastructure if necessary.

Generated by OpenCVE AI on June 24, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Gate_way command injection The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev) { char s[324]; // [sp+4h] [bp-144h] BYREF if ( !dev && !*this || !gw ) return 0; system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0"); system("/sbin/route del default "); if ( dev ) sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string else sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string system(s); sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string system(s); return 1; }
Title GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-i O Box 4e
Weaknesses CWE-78
CPEs cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-i O Box 4e
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Geovision Inc. Gv-i O Box 4e
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-06-24T12:52:28.883Z

Reserved: 2026-06-22T00:42:27.477Z

Link: CVE-2026-12850

cve-icon Vulnrichment

Updated: 2026-06-24T12:52:25.787Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')