FKIE_CVE-2026-12486
Vulnerability from fkie_nvd - Published: 2026-06-24 05:17 - Updated: 2026-06-25 14:02
Severity
Summary
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_IP_Addr command injection
The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)
{
bool v2; // zf
char v4[72]; // [sp+0h] [bp-48h] BYREF
v2 = *this == 0;
if ( *this )
v2 = ip_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address
system(v4);
return 1;
}
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "GV-I/O Box 4E",
"vendor": "GeoVision Inc.",
"versions": [
{
"status": "affected",
"version": "V2.09"
},
{
"status": "unaffected",
"version": "V2.12"
}
]
}
],
"source": "0df08a0e-a200-4957-9bb0-084f562506f9"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_IP_Addr command injection\n\nThe following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)\n\n {\n\n bool v2; // zf\n\n char v4[72]; // [sp+0h] [bp-48h] BYREF\n\n\n\n v2 = *this == 0;\n\n if ( *this )\n\n v2 = ip_addr == 0;\n\n if ( v2 )\n\n return 0;\n\n sprintf(v4, \"/sbin/ifconfig %s %s\", *this, ip_addr); // attacker controlled ip address \n\n system(v4);\n\n return 1;\n\n }"
}
],
"id": "CVE-2026-12486",
"lastModified": "2026-06-25T14:02:35.347",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-12486",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:54:03.543792Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-24T05:17:26.220",
"references": [
{
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
},
{
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"url": "https://www.geovision.com.tw/cyber_security.php"
}
],
"sourceIdentifier": "0df08a0e-a200-4957-9bb0-084f562506f9",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…