Description
GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely.



Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication.  



#### Stack-overflow via unbound copy of base64 decoded string

The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.
Published: 2026-05-04
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic stack overflow caused by an unbounded copy of a base64‑decoded string into a 256‑byte buffer in the gvapi endpoint of GeoVision VMS V20. The buffer overflows when the decoded payload exceeds 256 characters, and because the application is compiled without ASLR, the overflow can be reliably predicted, allowing an attacker to inject and execute arbitrary code with SYSTEM privileges. This flaw is identified as CWE‑787, a classic out‑of‑bounds write.

Affected Systems

GeoVision Inc. GV‑VMS V20.0.2 running on Windows is affected. The vulnerability exists when the WebCam Server feature is enabled, exposing the gvapi endpoint over HTTP or HTTPS. The patched version, GV‑VMS V21.0.0, removes the flaw.

Risk and Exploitability

The CVSS score of 10 indicates the highest severity, and the EPSS score is not available, but the lack of address space layout randomization and the ability to control the overflown data make exploitation highly likely for an authenticated user. The vulnerability is not listed in CISA KEV, but the high CVSS and the remote access vector via the WebCam Server feature mean that if an attacker can obtain or guess credentials for the gvapi endpoint, code execution is almost guaranteed. The risk remains high until the system is upgraded or the remote feature is disabled.

Generated by OpenCVE AI on May 4, 2026 at 02:21 UTC.

Remediation

Vendor Solution

GeoVision GV-VMS version V21.0.0 has patched the reported vulnerability.  User is recommended to download the update from GeoVision's offical website (https://www.geovision.com.tw/download/product/GV-VMS%20V20) or contact GeoVision Support team

OpenCVE Recommended Actions

  • Update GeoVision GV‑VMS to version V21.0.0, which contains the patch for the stack overflow.
  • If an upgrade is not immediately possible, disable the WebCam Server feature so the vulnerable endpoint is no longer exposed to external traffic.
  • Apply network segmentation or firewall rules to block access to the gvapi endpoint, and monitor for authentication attempts or anomalous traffic to the WebCam Server module.

Generated by OpenCVE AI on May 4, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely. Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication.   #### Stack-overflow via unbound copy of base64 decoded string The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.
Title GeoVision GV-VMS V20 WebCam Server stack overflow vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-vms V20.0.2
Weaknesses CWE-787
CPEs cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v20.0.2:*:windows:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v21.0.0:*:windows:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-vms V20.0.2
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Geovision Inc. Gv-vms V20.0.2
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-04T00:47:00.507Z

Reserved: 2026-04-26T23:39:08.350Z

Link: CVE-2026-42369

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:04.153

Modified: 2026-05-04T01:16:04.153

Link: CVE-2026-42369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T02:30:34Z

Weaknesses