CVE-2026-4606 (GCVE-0-2026-4606)
Vulnerability from cvelistv5 – Published: 2026-03-23 01:05 – Updated: 2026-03-24 03:56
VLAI
Title
GeoVision ERM Improper Privilege Assignment Leads to SYSTEM-Level Privilege
Summary
GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.
During installation, ERM creates a Windows service that runs under the LocalSystem account.
When the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.
Functions such as 'Import Data' open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.
Any ERM function invoking Windows file open/save dialogs exposes the same risk.
This vulnerability allows local privilege escalation and may result in full system compromise.
Severity
CWE
- CWE-250 - Execution with unnecessary privileges
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GeoVision | GV-Edge Recording Manager |
Affected:
2.3.1
Unaffected: 2.3.2 |
Date Public
2026-03-23 01:15
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T03:56:02.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.geovision.com.tw/download/product/GV%E2%80%90Edge%20Recording%20Manager%20(Windows%20Version)",
"defaultStatus": "unaffected",
"packageName": "GV-Edge Recording Manager",
"platforms": [
"Windows"
],
"product": "GV-Edge Recording Manager",
"vendor": "GeoVision",
"versions": [
{
"status": "affected",
"version": "2.3.1"
},
{
"status": "unaffected",
"version": "2.3.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Reported by security researcher Chao Liu (chaoliu@rbbusa.com)"
}
],
"datePublic": "2026-03-23T01:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDuring installation, ERM creates a Windows service that runs under the LocalSystem account.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.\u0026nbsp;\u003c/p\u003e\u003cp\u003eFunctions such as \u0027Import Data\u0027 open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAny ERM function invoking Windows file open/save dialogs exposes the same risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis vulnerability allows local privilege escalation and may result in full system compromise.\u003c/p\u003e"
}
],
"value": "GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.\u00a0\n\nDuring installation, ERM creates a Windows service that runs under the LocalSystem account.\u00a0\n\nWhen the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.\u00a0\n\nFunctions such as \u0027Import Data\u0027 open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.\u00a0\n\nAny ERM function invoking Windows file open/save dialogs exposes the same risk.\u00a0\n\nThis vulnerability allows local privilege escalation and may result in full system compromise."
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 Interface Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "IRRECOVERABLE",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:N/R:I/V:C/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with unnecessary privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T01:15:18.367Z",
"orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"shortName": "GV"
},
"references": [
{
"url": "https://https://www.geovision.com.tw/cyber_security.php"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "GeoVision ERM Improper Privilege Assignment Leads to SYSTEM-Level Privilege",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"assignerShortName": "GV",
"cveId": "CVE-2026-4606",
"datePublished": "2026-03-23T01:05:31.952Z",
"dateReserved": "2026-03-23T00:46:43.918Z",
"dateUpdated": "2026-03-24T03:56:02.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-4606",
"date": "2026-05-28",
"epss": "0.00062",
"percentile": "0.19475"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-4606\",\"sourceIdentifier\":\"0df08a0e-a200-4957-9bb0-084f562506f9\",\"published\":\"2026-03-23T02:16:05.213\",\"lastModified\":\"2026-05-19T15:22:14.957\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.\u00a0\\n\\nDuring installation, ERM creates a Windows service that runs under the LocalSystem account.\u00a0\\n\\nWhen the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.\u00a0\\n\\nFunctions such as \u0027Import Data\u0027 open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.\u00a0\\n\\nAny ERM function invoking Windows file open/save dialogs exposes the same risk.\u00a0\\n\\nThis vulnerability allows local privilege escalation and may result in full system compromise.\"},{\"lang\":\"es\",\"value\":\"GV Edge Recording Manager (ERM) v2.3.1 ejecuta incorrectamente los componentes de la aplicaci\u00f3n con privilegios de nivel SYSTEM, permitiendo a cualquier usuario local obtener control total del sistema operativo.\\n\\nDurante la instalaci\u00f3n, ERM crea un servicio de Windows que se ejecuta bajo la cuenta LocalSystem.\\n\\nCuando se inicia la aplicaci\u00f3n ERM, se generan procesos relacionados bajo privilegios SYSTEM en lugar del contexto de seguridad del usuario que ha iniciado sesi\u00f3n.\\n\\nFunciones como \u0027Importar Datos\u0027 abren un cuadro de di\u00e1logo de archivos de Windows que opera con permisos SYSTEM, lo que permite la modificaci\u00f3n o eliminaci\u00f3n de archivos y directorios del sistema protegidos.\\n\\nCualquier funci\u00f3n de ERM que invoque cuadros de di\u00e1logo de abrir/guardar archivos de Windows expone el mismo riesgo.\\n\\nEsta vulnerabilidad permite la escalada de privilegios local y puede resultar en un compromiso total del sistema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"0df08a0e-a200-4957-9bb0-084f562506f9\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:I/V:C/RE:M/U:Green\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NEGLIGIBLE\",\"Automatable\":\"NO\",\"Recovery\":\"IRRECOVERABLE\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"MODERATE\",\"providerUrgency\":\"GREEN\"}}]},\"weaknesses\":[{\"source\":\"0df08a0e-a200-4957-9bb0-084f562506f9\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-250\"}]}],\"references\":[{\"url\":\"https://https://www.geovision.com.tw/cyber_security.php\",\"source\":\"0df08a0e-a200-4957-9bb0-084f562506f9\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-4606\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T13:35:04.150771Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T13:35:10.273Z\"}}], \"cna\": {\"title\": \"GeoVision ERM Improper Privilege Assignment Leads to SYSTEM-Level Privilege\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Reported by security researcher Chao Liu (chaoliu@rbbusa.com)\"}], \"impacts\": [{\"capecId\": \"CAPEC-113\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-113 Interface Manipulation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NEGLIGIBLE\", \"version\": \"4.0\", \"Recovery\": \"IRRECOVERABLE\", \"baseScore\": 10, \"Automatable\": \"NO\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"CONCENTRATED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:N/R:I/V:C/RE:M/U:Green\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"GREEN\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"MODERATE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"GeoVision\", \"product\": \"GV-Edge Recording Manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.3.1\"}, {\"status\": \"unaffected\", \"version\": \"2.3.2\"}], \"platforms\": [\"Windows\"], \"packageName\": \"GV-Edge Recording Manager\", \"collectionURL\": \"https://www.geovision.com.tw/download/product/GV%E2%80%90Edge%20Recording%20Manager%20(Windows%20Version)\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-23T01:15:00.000Z\", \"references\": [{\"url\": \"https://https://www.geovision.com.tw/cyber_security.php\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"GV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.\\u00a0\\n\\nDuring installation, ERM creates a Windows service that runs under the LocalSystem account.\\u00a0\\n\\nWhen the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.\\u00a0\\n\\nFunctions such as \u0027Import Data\u0027 open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.\\u00a0\\n\\nAny ERM function invoking Windows file open/save dialogs exposes the same risk.\\u00a0\\n\\nThis vulnerability allows local privilege escalation and may result in full system compromise.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eGV Edge Recording Manager (ERM) v2.3.1 improperly runs application components with SYSTEM-level privileges, allowing any local user to gain full control of the operating system.\u0026nbsp;\u003c/p\u003e\u003cp\u003eDuring installation, ERM creates a Windows service that runs under the LocalSystem account.\u0026nbsp;\u003c/p\u003e\u003cp\u003eWhen the ERM application is launched, related processes are spawned under SYSTEM privileges rather than the security context of the logged-in user.\u0026nbsp;\u003c/p\u003e\u003cp\u003eFunctions such as \u0027Import Data\u0027 open a Windows file dialog operating with SYSTEM permissions, enabling modification or deletion of protected system files and directories.\u0026nbsp;\u003c/p\u003e\u003cp\u003eAny ERM function invoking Windows file open/save dialogs exposes the same risk.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis vulnerability allows local privilege escalation and may result in full system compromise.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-250\", \"description\": \"CWE-250 Execution with unnecessary privileges\"}]}], \"providerMetadata\": {\"orgId\": \"0df08a0e-a200-4957-9bb0-084f562506f9\", \"shortName\": \"GV\", \"dateUpdated\": \"2026-03-23T01:15:18.367Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-4606\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T03:56:02.798Z\", \"dateReserved\": \"2026-03-23T00:46:43.918Z\", \"assignerOrgId\": \"0df08a0e-a200-4957-9bb0-084f562506f9\", \"datePublished\": \"2026-03-23T01:05:31.952Z\", \"assignerShortName\": \"GV\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…