Description
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_DNS_Addr command injection

The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)

{

int result; // r0

char v5[80]; // [sp+0h] [bp-50h] BYREF



if ( !dns1 )

result = 0;

if ( dns1 )

{

sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field

system(v5);

if ( dns2 )

{

sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);

system(v5);

}

return 1;

}

return result;
Published: 2026-06-24
Score: 9.1 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw is present in the libNetSetObj.so library of GeoVision GV‑I/O Box 4E firmware 2.09. The vulnerable routine builds a shell command from DNS address values supplied in a network packet and invokes system() without any sanitization, allowing an attacker to inject arbitrary shell commands. The result is the ability to execute commands with the privileges of the device’s underlying Linux system, which can lead to full system compromise. This issue is a classic example of CWE‑78, an input validation weakness that permits remote command execution.

Affected Systems

GeoVision Inc. devices, specifically the GV‑I/O Box 4E firmware version 2.09, are confirmed vulnerable. Firmware 2.12 is also listed, but its patch status is not specified in the CVE data. The flaw is triggered through the network‑exposed DVRSearch service and the Network.cgi endpoint.

Risk and Exploitability

With a CVSS score of 9.1 the vulnerability is classified as critical, and an EPSS score of 2% indicates a low but non‑zero probability of exploitation. It is reachable over the network without authentication, so any host with network access to the device can trigger the injection. The vulnerability is not yet listed in the CISA KEV catalog, but the ability to run arbitrary commands on a publicly reachable device makes it a high‑priority threat.

Generated by OpenCVE AI on June 24, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GeoVision GV‑I/O Box 4E firmware to a version that contains the vendor patch for libNetSetObj.so, or verify that the new release removes the vulnerable code paths.
  • Restrict inbound traffic to the DVRSearch and Network.cgi services using firewall rules or by limiting the device’s remote access to trusted internal networks.
  • If remote configuration services are not required, disable the DVRSearch and Network.cgi endpoints entirely; additionally enable device logging and alerting to detect any injection attempts.

Generated by OpenCVE AI on June 24, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Geovision Inc. gv-i/o Box 4e
Vendors & Products Geovision Inc. gv-i/o Box 4e

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_DNS_Addr command injection The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2) { int result; // r0 char v5[80]; // [sp+0h] [bp-50h] BYREF if ( !dns1 ) result = 0; if ( dns1 ) { sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field system(v5); if ( dns2 ) { sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2); system(v5); } return 1; } return result;
Title GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-i O Box 4e
Weaknesses CWE-78
CPEs cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-i O Box 4e
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Geovision Inc. Gv-i/o Box 4e Gv-i O Box 4e
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-06-24T12:50:52.147Z

Reserved: 2026-06-22T00:42:28.790Z

Link: CVE-2026-12851

cve-icon Vulnrichment

Updated: 2026-06-24T12:50:46.494Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:11Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')