CVE-2024-6047: GeoVision GV-DSP LPR Firmware RCE Flaw

CVE-2024-6047 Overview

CVE-2024-6047 is a critical command injection vulnerability affecting multiple end-of-life (EOL) GeoVision surveillance devices. The vulnerability exists due to improper filtering of user input for specific functionality within the device firmware. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on affected devices, potentially leading to complete device compromise.

Critical Impact

This vulnerability is actively being exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers are leveraging this flaw to recruit vulnerable GeoVision devices into Mirai-based botnets.

Affected Products

• GeoVision GV-DSP LPR (License Plate Recognition)
• GeoVision GV-BX130, GV-BX1500 (Box Cameras)
• GeoVision GV-CB220 (Cube Camera)
• GeoVision GV-EBL1100, GV-EFD1100 (Eyeball Dome Cameras)
• GeoVision GV-FD2410, GV-FD3400, GV-FE3401, GV-FE420 (Fixed Dome Cameras)
• GeoVision GV-VS03, GV-VS14, GV-VS04A, GV-VS04H, GV-VS2410, GV-VS2800, GV-VS2820, GV-VS21600 (Video Servers)
• GeoVision GV-GM8186 VS14, GVLX 4 (Additional Devices)

Discovery Timeline

• June 17, 2024 - CVE-2024-6047 published to NVD
• October 30, 2025 - Last updated in NVD database

Technical Details for CVE-2024-6047

Vulnerability Analysis

This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The affected GeoVision devices fail to properly sanitize user-supplied input before passing it to system-level command execution functions. Because the devices have reached end-of-life status, no patches are available from the vendor.

The vulnerability allows unauthenticated attackers to achieve remote code execution over the network without any user interaction required. Once compromised, attackers gain the same privileges as the device's web service, typically root-level access on embedded Linux systems. This enables complete device takeover including the ability to modify firmware, exfiltrate data, pivot to other network assets, or conscript the device into a botnet.

According to Akamai Security Research, this vulnerability is being actively exploited to recruit devices into Mirai-variant botnets.

Root Cause

The root cause of this vulnerability is insufficient input validation and sanitization in the device's web interface. User-controllable parameters are concatenated directly into shell commands without proper escaping or filtering of shell metacharacters. This allows attackers to break out of the intended command context and inject additional malicious commands.

The vulnerability specifically affects firmware-level functionality that processes certain HTTP requests, where input data is passed unsanitized to system shell functions such as system(), popen(), or similar command execution interfaces.

Attack Vector

The attack can be executed remotely over the network by sending specially crafted HTTP requests to the vulnerable device's web interface. The attack requires no authentication and no user interaction, making it trivially exploitable once a vulnerable device is discovered.

Attackers typically identify exposed GeoVision devices through internet scanning services and then send malicious payloads designed to download and execute botnet malware. The command injection is achieved by embedding shell metacharacters (such as ;, |, &&, or backticks) followed by malicious commands within HTTP request parameters.

Due to the EOL nature of these devices, exploitation in the wild focuses on using them as botnet nodes for distributed denial-of-service attacks and as pivot points for lateral movement within networks.

Detection Methods for CVE-2024-6047

Indicators of Compromise

• Unusual outbound connections from GeoVision devices to known botnet command-and-control infrastructure
• Unexpected processes running on the device, particularly those associated with Mirai variants
• HTTP request logs showing suspicious parameters containing shell metacharacters (;, |, &&, $(, backticks)
• Network traffic patterns consistent with DDoS participation or cryptocurrency mining

Detection Strategies

• Monitor network traffic from IoT/surveillance devices for connections to known malicious IP addresses and domains
• Implement network segmentation to isolate surveillance equipment and enable anomaly detection
• Deploy intrusion detection rules to identify command injection patterns in HTTP requests to GeoVision devices
• Use asset inventory tools to identify all EOL GeoVision devices on the network

Monitoring Recommendations

• Enable logging on network perimeter devices to capture traffic to and from surveillance equipment
• Configure SIEM alerts for any outbound connections from GeoVision devices to non-standard ports
• Monitor for sudden increases in bandwidth utilization from surveillance device network segments
• Implement behavioral analysis to detect devices communicating with unusual external hosts

How to Mitigate CVE-2024-6047

Immediate Actions Required

• Identify all affected GeoVision devices in your environment using network scanning and asset inventory
• Isolate affected devices from the internet immediately by removing direct internet access
• Place devices behind a firewall or VPN with strict access controls limiting management interface access to trusted IPs only
• Plan for device replacement as no patches are available for these EOL products

Patch Information

No patches are available for this vulnerability. GeoVision has designated all affected device models as end-of-life, meaning they will not receive security updates. The only definitive remediation is to replace affected devices with currently supported models that receive regular security updates.

Organizations should reference the TWCert Security Advisory and the CISA KEV Catalog for official guidance.

Workarounds

• Block external access to affected devices by ensuring they are not directly accessible from the internet
• Implement network segmentation to isolate surveillance devices on a dedicated VLAN with restricted routing
• Use a reverse proxy or web application firewall (WAF) to filter malicious requests if device access is required
• Disable unused services and web interfaces on affected devices to reduce attack surface
• Monitor device behavior and network traffic for signs of compromise until replacement can be completed

# Example firewall rules to restrict access to GeoVision devices
# Block all inbound traffic from the internet to GeoVision device subnet
iptables -A INPUT -d 192.168.10.0/24 -i eth0 -j DROP

# Allow management access only from trusted admin network
iptables -A INPUT -s 10.0.0.0/24 -d 192.168.10.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d 192.168.10.0/24 -p tcp --dport 443 -j ACCEPT

# Block outbound connections from GeoVision devices to the internet
iptables -A OUTPUT -s 192.168.10.0/24 -o eth0 -j DROP