cnvd - cnvd-2025-20222

CNVD-2025-20222

Vulnerability from cnvd - Published: 2025-09-04

Title

Geovision GV-ASWeb代码注入漏洞

Description

Geovision GV-ASWeb是中国奇偶（Geovision）公司的一个基于Web的软件，用于远程访问和配置GV-ASManager的数据库。 Geovision GV-ASWeb存在代码注入漏洞，攻击者可利用该漏洞在系统上执行任意命令。

Severity

高

Formal description

目前没有详细解决方案提供： https://www.geovision.com.tw/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-26264

Impacted products

Name
Geovision GV-ASWeb <=6.1.2.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-26264",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-26264"
    }
  },
  "description": "Geovision GV-ASWeb\u662f\u4e2d\u56fd\u5947\u5076\uff08Geovision\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u8f6f\u4ef6\uff0c\u7528\u4e8e\u8fdc\u7a0b\u8bbf\u95ee\u548c\u914d\u7f6eGV-ASManager\u7684\u6570\u636e\u5e93\u3002\n\nGeovision GV-ASWeb\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttps://www.geovision.com.tw/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-20222",
  "openTime": "2025-09-04",
  "products": {
    "product": "Geovision GV-ASWeb \u003c=6.1.2.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-26264",
  "serverity": "\u9ad8",
  "submitTime": "2025-03-03",
  "title": "Geovision GV-ASWeb\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2025-26264 (GCVE-0-2025-26264)

Vulnerability from cvelistv5 – Published: 2025-02-27 00:00 – Updated: 2025-03-19 13:35

Summary

GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary commands on the server, leading to a full system compromise.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/DRAGOWN/CVE-2025-26264
	https://www.geovision.com.tw/download/product/GV-…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-26264",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-28T17:13:14.523407Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-94",
                "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-28T21:28:14.867Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/DRAGOWN/CVE-2025-26264"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with \"System Settings\" privileges in ASWeb can exploit this flaw to execute arbitrary commands on the server, leading to a full system compromise."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-19T13:35:23.085Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/DRAGOWN/CVE-2025-26264"
        },
        {
          "url": "https://www.geovision.com.tw/download/product/GV-ASManager%20%28Access%20Control%29"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-26264",
    "datePublished": "2025-02-27T00:00:00.000Z",
    "dateReserved": "2025-02-07T00:00:00.000Z",
    "dateUpdated": "2025-03-19T13:35:23.085Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-20222

CVE-2025-26264 (GCVE-0-2025-26264)

Tags

Sightings

Nomenclature