Description
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.


When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.
Published: 2026-05-04
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GeoVision GV-IP Device Utility 9.0.5.0 fails to properly secure its device authentication mechanism. The username and password are encrypted in broadcast UDP packets, but the symmetric key is also transmitted, allowing anyone on the same LAN to recover the credentials. Once decrypted, an attacker can issue privileged commands to reconfigure or reset the device, effectively taking full control of its configuration and operation.

Affected Systems

The vulnerability exists in GeoVision Inc. GV‑IP Device Utility, specifically the 9.0.5.0 release. The vendor has provided a patch in version 9.0.7.0. Systems that have not yet applied this update are at risk.

Risk and Exploitability

With a CVSS score of 9.3, this flaw is considered critical. Exploitation requires access to the local LAN and the ability to capture broadcast traffic; no additional credentials or privileges are needed to deposit the packet. Once an attacker obtains the cleared credentials, they gain full administrative control of the device. The EPSS score is not available, and the flaw is not currently listed in CISA’s KEV catalog, but its high impact and direct attack path make it a serious threat for any exposed network.

Generated by OpenCVE AI on May 4, 2026 at 02:24 UTC.

Remediation

Vendor Solution

GeoVision GV-IP Device Utility Device version 9.0.7.0 has patched reported vulnerability.  User is recommended to update to version 9.0.7.0 from GeoVision's offical website  (https://www.geovision.com.tw/download/product/GV-VMS%20V20) or contact GeoVision Support team

OpenCVE Recommended Actions

  • Update GeoVision GV‑IP Device Utility to the patched version 9.0.7.0 from the vendor’s official website.
  • If patching is delayed, isolate the device from broadcast traffic by placing it behind a VLAN or firewall that blocks UDP broadcasts from untrusted sources.
  • Replace weak broadcast authentication with a stronger, properly key‑managed protocol and rotate device credentials regularly to limit exposure.

Generated by OpenCVE AI on May 4, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.
Title GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability
First Time appeared Geovision Inc.
Geovision Inc. gv-ip Device Utility
Weaknesses CWE-656
CPEs cpe:2.3:a:geovision_inc.:gv-ip_device_utility:9.0.5.0:*:windows:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-ip_device_utility:9.0.7.0:*:windows:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-ip Device Utility
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H'}

Subscriptions

Geovision Inc. Gv-ip Device Utility
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-04T00:39:39.188Z

Reserved: 2026-04-27T00:00:42.121Z

Link: CVE-2026-7161

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:04.447

Modified: 2026-05-04T01:16:04.447

Link: CVE-2026-7161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T02:30:34Z

Weaknesses