Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12849

CVE-2026-12849: GeoVision GV-I/O Box 4E RCE Vulnerability

CVE-2026-12849 is a command injection flaw in GeoVision GV-I/O Box 4E that enables remote code execution through crafted network packets. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-12849 Overview

CVE-2026-12849 is an OS command injection vulnerability in the libNetSetObj.so library of the GeoVision GV-I/O Box 4E version 2.09. The library configures network parameters such as IP address, netmask, gateway, and DNS for the device. Attackers can send a crafted network packet to trigger command execution on the device. The vulnerable code path is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint, exposing the device to remote attack [CWE-78].

Critical Impact

A network-reachable attacker can execute arbitrary operating system commands on the GeoVision GV-I/O Box 4E by sending crafted input to the network configuration interface.

Affected Products

  • GeoVision GV-I/O Box 4E firmware version 2.09
  • Binaries that load libNetSetObj.so
  • DVRSearch service and Network.cgi endpoint on the device

Discovery Timeline

  • 2026-06-24 - CVE-2026-12849 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-12849

Vulnerability Analysis

The libNetSetObj.so library exposes the CNetSetObj::m_F_n_Set_Net_Mask function, which constructs a shell command string using user-supplied input and passes it to system(). The function formats the command /sbin/ifconfig %s netmask %s, where the netmask argument originates from a remote request. Because the input is not validated or escaped, shell metacharacters propagate directly into the command line. The function is also reachable through additional libNetSetObj.so entry points used to set IP, gateway, and DNS values, multiplying the attack surface.

int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)
{
bool v2;
char v4[72];

v2 = *this == 0;
if ( *this )
v2 = netmask_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr
system(v4);
return 1;
}

Source: Talos Intelligence Vulnerability Report TALOS-2026-2379

Root Cause

The root cause is missing input sanitization in network configuration routines. The library passes attacker-controlled strings into sprintf and then into system(), allowing shell interpretation of characters such as ;, |, &, and backticks.

Attack Vector

An attacker reaches the vulnerable function through the DVRSearch service or by submitting a request to Network.cgi. Supplying a netmask field containing shell metacharacters causes the injected commands to run with the privileges of the calling binary on the device.

Detection Methods for CVE-2026-12849

Indicators of Compromise

  • Inbound network traffic to the DVRSearch service from untrusted sources.
  • HTTP requests to Network.cgi containing shell metacharacters (;, |, &, backticks, $()) in netmask, IP, gateway, or DNS fields.
  • Unexpected child processes spawned from binaries that load libNetSetObj.so.
  • Outbound connections from the device to unknown hosts following network configuration requests.

Detection Strategies

  • Inspect requests to Network.cgi and the DVRSearch service for non-numeric content in network configuration parameters.
  • Alert on any process execution chain originating from the GV-I/O Box 4E that deviates from /sbin/ifconfig invocations with standard CIDR arguments.
  • Correlate network configuration changes on the device with subsequent shell process activity.

Monitoring Recommendations

  • Capture and review traffic to and from GeoVision GV-I/O Box 4E devices at the network perimeter.
  • Forward device syslog output to a central log store and alert on ifconfig invocations with malformed arguments.
  • Track new outbound connections from IoT VLANs that host GeoVision devices.

How to Mitigate CVE-2026-12849

Immediate Actions Required

  • Restrict network access to the GV-I/O Box 4E so that only trusted management hosts can reach DVRSearch and Network.cgi.
  • Place affected devices on an isolated VLAN with no direct internet exposure.
  • Audit existing network configuration values on the device for unexpected characters.
  • Review device logs for prior exploitation attempts containing shell metacharacters.

Patch Information

No vendor patch is listed in the published advisory. Consult the GeoVision Cyber Security Overview and the Talos Intelligence Vulnerability Report TALOS-2026-2379 for current vendor guidance and firmware updates.

Workarounds

  • Block external access to TCP and UDP ports used by DVRSearch and the device web interface.
  • Require VPN access for any administrative interaction with the device.
  • Disable remote network configuration features where the deployment allows it.
  • Apply firewall rules that drop traffic containing shell metacharacters destined for Network.cgi.
bash
# Example firewall rule restricting management access to a trusted host
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p udp --dport 17000 -s 10.0.0.10 -j ACCEPT
iptables -A INPUT -p udp --dport 17000 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.