Description
GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely.



Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication.  



#### Stack-overflow via unbound copy of base64 decoded string

The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.
Published: 2026-05-04
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic stack overflow caused by an unbounded copy of a base64‑decoded string into a 256‑byte buffer in the gvapi endpoint of GeoVision VMS V20. The buffer overflows when the decoded payload exceeds 256 characters, and because the application is compiled without ASLR, the overflow can be reliably predicted, allowing an attacker to inject and execute arbitrary code with SYSTEM privileges. This flaw is identified as CWE‑787, a classic out‑of‑bounds write.

Affected Systems

GeoVision Inc. GV‑VMS V20.0.2 running on Windows is affected. The vulnerability exists when the WebCam Server feature is enabled, exposing the gvapi endpoint over HTTP or HTTPS. The patched version, GV‑VMS V21.0.0, removes the flaw.

Risk and Exploitability

The CVSS score of 10 indicates the highest severity, and the EPSS score is not available, but the lack of address space layout randomization and the ability to control the overflown data make exploitation highly likely for an authenticated user. The vulnerability is not listed in CISA KEV, but the high CVSS and the remote access vector via the WebCam Server feature mean that if an attacker can obtain or guess credentials for the gvapi endpoint, code execution is almost guaranteed. The risk remains high until the system is upgraded or the remote feature is disabled.

Generated by OpenCVE AI on May 4, 2026 at 02:21 UTC.

Remediation

Vendor Solution

GeoVision GV-VMS version V20.1.0 has patched the reported vulnerability.  User is recommended to download the update from GeoVision's offical website (https://www.geovision.com.tw/download/product/GV-VMS%20V20) or contact GeoVision Support team For User currently running V20.0.2 may also visit the following link to download the V20.0.2.10 patch file that fixed the vulnerability.  https://php.gvdip.com/phpbb3/viewtopic.php?t=3326

OpenCVE Recommended Actions

  • Update GeoVision GV‑VMS to version V21.0.0, which contains the patch for the stack overflow.
  • If an upgrade is not immediately possible, disable the WebCam Server feature so the vulnerable endpoint is no longer exposed to external traffic.
  • Apply network segmentation or firewall rules to block access to the gvapi endpoint, and monitor for authentication attempts or anomalous traffic to the WebCam Server module.

Generated by OpenCVE AI on May 4, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v2.1.0:*:windows:*:*:*:*:* cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v20.0.2.10:*:windows:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v20.1.0.0:*:windows:*:*:*:*:*

Tue, 12 May 2026 02:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v21.0.0:*:windows:*:*:*:*:* cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v2.1.0:*:windows:*:*:*:*:*

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Geovision
Geovision gv-vms
Vendors & Products Geovision
Geovision gv-vms

Mon, 04 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely. Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication.   #### Stack-overflow via unbound copy of base64 decoded string The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.
Title GeoVision GV-VMS V20 WebCam Server stack overflow vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-vms V20.0.2
Weaknesses CWE-787
CPEs cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v20.0.2:*:windows:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-vms_v20.0.2:v21.0.0:*:windows:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-vms V20.0.2
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Geovision Gv-vms
Geovision Inc. Gv-vms V20.0.2
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-15T07:45:15.385Z

Reserved: 2026-04-26T23:39:08.350Z

Link: CVE-2026-42369

cve-icon Vulnrichment

Updated: 2026-05-04T12:51:38.659Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T01:16:04.153

Modified: 2026-05-19T15:22:14.957

Link: CVE-2026-42369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:44:17Z

Weaknesses