CVE-2026-12850 Overview
CVE-2026-12850 is an OS command injection vulnerability [CWE-78] in the libNetSetObj.so library used by the GeoVision GV-I/O Box 4E firmware version 2.09. The library configures the network stack for services running on the device, including DVRSearch and the Network.cgi endpoint. A specially crafted network packet supplying an attacker-controlled gateway string reaches system() without sanitization, allowing arbitrary shell command execution on the device.
Critical Impact
Authenticated network attackers can execute arbitrary OS commands on the device, leading to full compromise of the embedded IoT controller and any networks it bridges.
Affected Products
- GeoVision GV-I/O Box 4E firmware version 2.09
- The libNetSetObj.so shared library on the device
- Binaries invoking CNetSetObj::m_F_n_Set_Gate_way, including DVRSearch and Network.cgi
Discovery Timeline
- 2026-06-24 - CVE-2026-12850 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-12850
Vulnerability Analysis
The vulnerability resides in CNetSetObj::m_F_n_Set_Gate_way inside libNetSetObj.so. The function accepts a gateway string and a device string from callers that expose attacker-controlled input from the network. It concatenates these values into a shell command using sprintf and passes the result to system(). No input validation, escaping, or argument-style execution is used.
Both the DVRSearch service and the Network.cgi HTTP endpoint reach this code path. Because DVRSearch is exposed on the network, an attacker capable of reaching the device can trigger the sink with a crafted request. The injected payload runs in the context of the calling binary, which on these embedded devices is typically a privileged process.
Root Cause
The root cause is unsafe concatenation of untrusted input into a shell command string. The vulnerable routine builds commands such as /sbin/route add default gw <gw> dev <dev> and passes them directly to /bin/sh via system(). Shell metacharacters in the gw parameter terminate the intended command and append attacker-supplied operations.
Attack Vector
An attacker sends a network request to the DVRSearch service or the Network.cgi endpoint that sets the gateway field to a value containing shell metacharacters such as ;, |, or backticks. When the device processes the request, the injected commands execute with the privileges of the handling binary.
// Vulnerable function from libNetSetObj.so (Source: Talos TALOS-2026-2379)
int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)
{
char s[324]; // [sp+4h] [bp-144h] BYREF
if ( !dev && !*this || !gw )
return 0;
system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");
system("/sbin/route del default ");
if ( dev )
sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); // attacker-controlled gw
else
sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); // attacker-controlled gw
system(s);
sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this);
system(s);
return 1;
}
Detection Methods for CVE-2026-12850
Indicators of Compromise
- Unexpected child processes spawned by DVRSearch, Network.cgi, or other binaries linked against libNetSetObj.so.
- Outbound connections from the GV-I/O Box 4E to unfamiliar hosts, including reverse shells or downloader activity.
- Modified routing tables, new cron entries, or unexpected files written to /tmp or /var on the device.
Detection Strategies
- Inspect network traffic to DVRSearch and Network.cgi for gateway parameters containing shell metacharacters such as ;, &, |, `, or $(.
- Alert on HTTP requests to Network.cgi originating from non-administrative source IPs.
- Where supported, capture device syslog and watch for invocations of /sbin/route followed by anomalous commands.
Monitoring Recommendations
- Place the device in a segmented VLAN and log all ingress traffic to its management ports.
- Forward firewall and IDS logs from segments containing GeoVision equipment to a centralized SIEM for correlation.
- Baseline normal traffic to DVRSearch so injection attempts stand out against legitimate management activity.
How to Mitigate CVE-2026-12850
Immediate Actions Required
- Restrict network access to the GV-I/O Box 4E so that only trusted management hosts can reach DVRSearch and the web interface.
- Change default credentials and enforce strong authentication on the device, since exploitation requires authenticated access at high privileges.
- Audit existing routing configuration and device file systems for signs of prior tampering.
Patch Information
No vendor-supplied patch is referenced in the available data. Monitor the GeoVision Cyber Security Information page and the Talos Intelligence Vulnerability Report for firmware updates and additional technical detail.
Workarounds
- Block external access to the device entirely and require VPN connectivity for administration.
- Disable or firewall the DVRSearch service if it is not required in the deployment.
- Use an upstream firewall to drop HTTP requests to Network.cgi containing shell metacharacters in gateway-related parameters.
# Example iptables rules restricting management access to a trusted host
iptables -A INPUT -p tcp -s 10.0.0.10 -d <gvio-box-ip> --dport 80 -j ACCEPT
iptables -A INPUT -p udp -s 10.0.0.10 -d <gvio-box-ip> --dport 5201 -j ACCEPT
iptables -A INPUT -d <gvio-box-ip> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

