Description
A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.
Published: 2026-05-04
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to guess session cookies used by the web interface of GeoVision LPC2011/LPC2211 devices. By sending a sequence of crafted HTTP requests, an attacker can brute‑force valid session identifiers and bypass authentication, gaining unrestricted access to the device’s management functionality without any prior credentials. This flaw is a session‑management weakness (CWE‑341) and, if exploited, can lead to complete compromise of the device.

Affected Systems

Affected systems are GeoVision Inc.’s GV‑LPC2011/LPC2211 firmware version 1.10 and earlier. The vendor has released a patched firmware version V1.12‑260330 that addresses the issue.

Risk and Exploitability

The CVSS score of 8.6 classifies this vulnerability as critical. The EPSS score is currently unavailable, but the absence of a KEV listing does not diminish the risk. Exploitation requires remote access to the device’s web interface and the ability to send HTTP requests, meaning that remote attackers can easily reach the target from the Internet. Because the flaw permits authentication bypass, the potential impact is full compromise, data theft, and service disruption.

Generated by OpenCVE AI on May 4, 2026 at 02:23 UTC.

Remediation

Vendor Solution

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.  The user may visit the GeoVision website or contact the GeoVision Support team for firmware update.

OpenCVE Recommended Actions

  • Apply the GeoVision GV‑LPC2011/LPC2211 firmware update V1.12‑260330 to remove the session‑cookie guessing flaw.
  • Restrict access to the web management port to known, trusted IP addresses to reduce the exposure surface.
  • Enable logging and monitor traffic for repeated failed authentication attempts or unusual session‑cookie patterns, and investigate promptly.

Generated by OpenCVE AI on May 4, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.
Title GeoVision LPC2011/LPC2211 Web Interface guessable session cookie vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
Weaknesses CWE-341
CPEs cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:1.10:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:1.12:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Geovision Inc. Gv-lpc2011 Lpc2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-04T00:42:08.487Z

Reserved: 2026-04-26T23:39:08.350Z

Link: CVE-2026-42365

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:03.620

Modified: 2026-05-04T01:16:03.620

Link: CVE-2026-42365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T02:30:34Z

Weaknesses