Impact
An OS command injection flaw is present in the libNetSetObj.so library of GeoVision GV‑I/O Box 4E firmware 2.09. The vulnerable routine builds a shell command from DNS address values supplied in a network packet and invokes system() without any sanitization, allowing an attacker to inject arbitrary shell commands. The result is the ability to execute commands with the privileges of the device’s underlying Linux system, which can lead to full system compromise. This issue is a classic example of CWE‑78, an input validation weakness that permits remote command execution.
Affected Systems
GeoVision Inc. devices, specifically the GV‑I/O Box 4E firmware version 2.09, are confirmed vulnerable. Firmware 2.12 is also listed, but its patch status is not specified in the CVE data. The flaw is triggered through the network‑exposed DVRSearch service and the Network.cgi endpoint.
Risk and Exploitability
With a CVSS score of 9.1 the vulnerability is classified as critical, and an EPSS score of 2% indicates a low but non‑zero probability of exploitation. It is reachable over the network without authentication, so any host with network access to the device can trigger the injection. The vulnerability is not yet listed in the CISA KEV catalog, but the ability to run arbitrary commands on a publicly reachable device makes it a high‑priority threat.
OpenCVE Enrichment