Description
A remote code execution vulnerability
exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated
user with System Setting permissions can execute arbitrary commands on the
server by sending a crafted HTTP POST request to the ASWebCommon.srf backend
endpoint to bypass the frontend restrictions.
Published: 2026-05-06
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Notification Settings of GeoVision GV-ASWeb 6.2.0 allows an authenticated user with System Setting permissions to forge an HTTP POST request to the ASWebCommon.srf backend endpoint, which bypasses frontend restrictions and lets the attacker execute arbitrary commands on the server. The vulnerability is categorized as CWE-94, indicating code injection that can lead to full control over the affected system.

Affected Systems

The affected product is GeoVision Inc.'s GV-ASWeb (ASManager) version 6.2.0 running on Windows platforms. Version 6.3.0 contains the remediation.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authentication and specific System Setting permissions, meaning the attack surface is limited to privileged users. However, once compromised, the attacker can execute arbitrary commands on the server, granting complete compromise of confidentiality, integrity, and availability. The exploitation path is straightforward for an authenticated user, making it a noticeable risk for organizations that rely on GV-ASWeb.

Generated by OpenCVE AI on May 6, 2026 at 09:20 UTC.

Remediation

Vendor Solution

Reported Vulnerability is going to be fixed with the official release of GeoVision's ASMAnager V6.3.0

OpenCVE Recommended Actions

  • Upgrade GeoVision ASManager to version 6.3.0, which includes the fix for the described RCE vulnerability.
  • Restrict System Setting permissions to a minimal set of trusted administrators and audit user roles regularly to reduce the attack surface.
  • Configure a web application firewall or network firewall to detect and block abnormal HTTP POST traffic to the ASWebCommon.srf endpoint.

Generated by OpenCVE AI on May 6, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Geovision
Geovision gv-asmanager
Vendors & Products Geovision
Geovision gv-asmanager

Wed, 06 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions.
Title GV-ASWeb Remote Code Execution (RCE) vulnerability
First Time appeared Geovision Inc.
Geovision Inc. asmanager
Weaknesses CWE-94
CPEs cpe:2.3:a:geovision_inc.:asmanager:v6.2.0:*:windows:*:*:*:*:*
cpe:2.3:a:geovision_inc.:asmanager:v6.3.0:*:windows:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. asmanager
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Geovision Inc. Asmanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-05-06T06:47:53.765Z

Reserved: 2026-05-05T07:36:15.083Z

Link: CVE-2026-7841

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T08:16:04.490

Modified: 2026-05-06T08:16:04.490

Link: CVE-2026-7841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:30:26Z

Weaknesses