Description
An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
Published: 2026-05-04
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An os command injection flaw exists in the DdnsSetting.cgi handler of GeoVision LPC2011/LPC2211 firmware 1.10. The flaw allows a specially crafted DDNS configuration to be passed to the underlying operating system, enabling an attacker to execute arbitrary shell commands. The consequence is full compromise of the device’s operating system, including confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects GeoVision Inc. firmware model GV‑LPC2011/LPC2211 version 1.10. Pixels vulnerable to this issue were patched in firmware release 1.12‑260330. Administrators who run earlier firmware should verify the version and apply the updated firmware.

Risk and Exploitability

With a CVSS score of 9.9 the flaw is classified as critical. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog, but remote code execution is a high‑risk issue. The likely attack vector is a remote attacker sending a malicious request to the DdnsSetting.cgi web interface, which requires network reachability to the device’s management port. Successful exploitation would give the attacker the same privileges with which the CGI script runs, typically root or equivalent on the embedded Linux system.

Generated by OpenCVE AI on May 4, 2026 at 02:24 UTC.

Remediation

Vendor Solution

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.  The user may visit GeoVision website or contact GeoVision Support team for firmware update.

OpenCVE Recommended Actions

  • Update the device firmware to version 1.12‑260330 or later, which removes the vulnerable code.
  • Ensure that the management web interface is only reachable from trusted networks by configuring firewall rules or VLAN segmentation.
  • Disable the DDNS configuration feature if it is not required, or implement input validation to reject command‑containing values so that injected commands cannot be executed.

Generated by OpenCVE AI on May 4, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
Title GeoVision LPC2011/LPC2211 Web Interface / DdnsSetting.cgi OS command injection vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
Weaknesses CWE-78
CPEs cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:1.10:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:1.12:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Geovision Inc. Gv-lpc2011 Lpc2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-04T00:41:33.908Z

Reserved: 2026-04-26T23:39:08.350Z

Link: CVE-2026-42364

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:03.470

Modified: 2026-05-04T01:16:03.470

Link: CVE-2026-42364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T02:30:34Z

Weaknesses