Impact
The vulnerability arises from unsanitized gateway strings handed to the system() call in the libNetSetObj.so library of GeoVision GV-I/O Box 4E, allowing an attacker to execute arbitrary commands on the device with full privileges. An adversary could modify routing tables, interrupt network services, or install malware, effectively gaining remote control over the device.
Affected Systems
GeoVision Inc.’s GV‑I/O Box 4E running firmware version 2.09. The flaw is triggered via the DVRSearch service and the Network.cgi endpoint, which are exposed over the network.
Risk and Exploitability
With a CVSS score of 9.1, the vulnerability is high severity. The EPSS score is 2%, and the issue has not been listed in CISA KEV. It is inferred that the attack vector is network‑exposed, requiring the attacker to reach the device over an accessible interface such as the DVRSearch TCP service or the HTTP endpoint. Successful exploitation grants unrestricted command execution, making the risk significant for any network‑connected deployment.
OpenCVE Enrichment