Description
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.
Published: 2026-05-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request triggers a leakage of Administrator credentials, allowing an attacker to acquire elevated privileges. This flaw is classified as CWE‑522, which denotes insecure storage of credentials. The vulnerability can compromise confidentiality and control over the device if exploited, but it does not necessarily grant immediate remote code execution.

Affected Systems

The affected vendors and products are GeoVision Inc. – GV‑LPC2011/LPC2211. The specific firmware version known to be vulnerable is v1.10; the newer v1.20 firmware is not listed as affected in the description. Users running firmware 1.10 or earlier on the GV‑LPC2011/LPC2211 models should review their software version.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate to high risk. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, but the attack can be performed remotely by issuing an HTTP request to the ssi.cgi endpoint. An attacker with network access to the web interface can exploit the flaw without specialized authentication, potentially obtaining administrator credentials and escalating privileges within the device.

Generated by OpenCVE AI on May 4, 2026 at 02:22 UTC.

Remediation

Vendor Solution

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.  The user may visit the GeoVision website or contact the GeoVision Support team for firmware update.

OpenCVE Recommended Actions

  • Apply the vendor‑issued firmware update V1.12‑260330 to all affected GV‑LPC2011/LPC2211 devices.
  • If an immediate update is not possible, block or restrict external access to the Web Interface, especially the ssi.cgi endpoint, using firewall rules or network segmentation.
  • Monitor for unusual credential usage and conduct post‑patch vulnerability scans to confirm that the credentials leak is no longer present.

Generated by OpenCVE AI on May 4, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Geovision gv-lpc2011 Firmware
Geovision gv-lpc2211 Firmware
CPEs cpe:2.3:h:geovision:gv-lpc2011:-:*:*:*:*:*:*:*
cpe:2.3:h:geovision:gv-lpc2211:-:*:*:*:*:*:*:*
cpe:2.3:o:geovision:gv-lpc2011_firmware:1.10:*:*:*:*:*:*:*
cpe:2.3:o:geovision:gv-lpc2211_firmware:1.10:*:*:*:*:*:*:*
Vendors & Products Geovision gv-lpc2011 Firmware
Geovision gv-lpc2211 Firmware

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Geovision
Geovision gv-lpc2011
Geovision gv-lpc2211
Vendors & Products Geovision
Geovision gv-lpc2011
Geovision gv-lpc2211

Mon, 04 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.
Title GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi privilege escalation vulnerability via leak of Administrator credentials
First Time appeared Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
Weaknesses CWE-522
CPEs cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:v1.10:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpc2011_lpc2211:v1.20:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpc2011 Lpc2211
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Geovision Gv-lpc2011 Gv-lpc2011 Firmware Gv-lpc2211 Gv-lpc2211 Firmware
Geovision Inc. Gv-lpc2011 Lpc2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-05T12:44:07.467Z

Reserved: 2026-04-26T23:39:08.350Z

Link: CVE-2026-42367

cve-icon Vulnrichment

Updated: 2026-05-04T13:44:07.711Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T01:16:03.890

Modified: 2026-05-05T02:45:01.993

Link: CVE-2026-42367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:06:13Z

Weaknesses