Description
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.


When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.
Published: 2026-04-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential theft leading to full device control
Action: Immediate Patch
AI Analysis

Impact

GeoVision GV-IP Device Utility 9.0.5.0 uses an encryption scheme derived from Blowfish to protect device credentials, but the symmetric key is transmitted alongside the encrypted username and password in broadcast UDP packets. An attacker on the same LAN can capture these packets, decrypt the credentials using a known implementation of the algorithm, and obtain full administrative control over the device. With such credentials an attacker can alter the device’s network configuration, reset it to factory defaults, or otherwise execute arbitrary privileged commands, effectively compromising the device’s integrity and availability.

Affected Systems

The vulnerability affects GeoVision Inc.'s GV-IP Device Utility, specifically version 9.0.5.0 and earlier releases that employ the described broadcast authentication process. The vendor has released 9.0.7.0 as a patch to address this issue.

Risk and Exploitability

The CVSS score of 9.3 reflects a severe impact, while the EPSS score of < 1% indicates that exploit attempts are currently rare. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be a local LAN attacker able to observe broadcast traffic; thus an attacker who can join the same network segment or sniff broadcast packets could leverage this flaw with minimal prerequisites.

Generated by OpenCVE AI on April 28, 2026 at 05:01 UTC.

Remediation

Vendor Solution

GeoVision GV-IP Device Utility Device Authentication version 9.0.7.0 has patched reported vulnerability.

OpenCVE Recommended Actions

  • Apply the GeoVision GV-IP Device Utility update to version 9.0.7.0 or newer.
  • Configure the device to disable or restrict UDP broadcast commands, ensuring that privileged instructions are only sent over secure, unicast channels.
  • Implement network segmentation or VLAN isolation so that the device’s broadcast traffic is not accessible to unauthorized LAN users.
  • Activate and review device logging for unauthorized configuration changes, and forward logs to a secure, monitored syslog server.

Generated by OpenCVE AI on April 28, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.
Title GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-ip Device Utility
Weaknesses CWE-656
CPEs cpe:2.3:a:geovision_inc.:gv-ip_device_utility:9.0.5.0:*:windows:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-ip Device Utility
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H'}

Subscriptions

Geovision Inc. Gv-ip Device Utility
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-04-27T13:30:33.786Z

Reserved: 2026-04-26T23:39:08.350Z

Link: CVE-2026-42363

cve-icon Vulnrichment

Updated: 2026-04-27T13:19:03.687Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T00:16:20.357

Modified: 2026-05-19T15:22:14.957

Link: CVE-2026-42363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:15:22Z

Weaknesses