Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12851

CVE-2026-12851: GeoVision GV-I/O Box 4E RCE Vulnerability

CVE-2026-12851 is a remote code execution vulnerability in GeoVision GV-I/O Box 4E that enables OS command injection via DNS configuration. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12851 Overview

CVE-2026-12851 is an OS command injection vulnerability [CWE-78] in the libNetSetObj.so library of the GeoVision GV-I/O Box 4E version 2.09. The library is used by multiple binaries on the device to configure the network stack, including DNS settings, IP addresses, and gateway parameters. A specially crafted network packet sent to the affected device leads to arbitrary command execution. The flaw is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint, exposing the device to remote exploitation.

Critical Impact

Authenticated attackers can execute arbitrary OS commands on the GeoVision GV-I/O Box 4E by sending crafted network packets, leading to full device compromise.

Affected Products

  • GeoVision GV-I/O Box 4E firmware version 2.09
  • Binaries linking against libNetSetObj.so
  • Network-exposed DVRSearch service and Network.cgi endpoint

Discovery Timeline

  • 2026-06-24 - CVE-2026-12851 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-12851

Vulnerability Analysis

The vulnerability resides in the CNetSetObj::m_F_n_Set_DNS_Addr function within libNetSetObj.so. The function accepts up to two DNS address strings (dns1 and dns2) supplied by the caller and embeds them directly into a shell command via sprintf. The resulting string is then passed to the system() function for execution. Because the function performs no input sanitization or validation, attacker-controlled metacharacters in the DNS fields are interpreted by the shell.

The constructed command takes the form /bin/echo nameserver <dns> > /etc/resolv.conf. By injecting shell metacharacters such as backticks, semicolons, or pipe characters into the dns1 or dns2 parameter, an attacker substitutes arbitrary commands that execute with the privileges of the calling service. The same vulnerable function is callable from two distinct entry points, broadening the exploitable attack surface.

Root Cause

The root cause is unsanitized concatenation of attacker-supplied input into a shell command string before invocation of system(). The function lacks any character filtering, allow-listing, or use of safer process-execution APIs that separate command and arguments.

Attack Vector

A remote attacker delivers a crafted network request to the DVRSearch service or the Network.cgi endpoint with shell metacharacters embedded in the DNS address parameters. When the device processes the request, libNetSetObj.so invokes system() on the unsanitized string, executing the injected commands. The attack requires network access to the device and existing privileges, as reflected in the CVSS vector.

No verified public proof-of-concept code is available. Refer to the Talos Intelligence Vulnerability Report for technical details from the disclosing researchers.

Detection Methods for CVE-2026-12851

Indicators of Compromise

  • Unexpected modifications to /etc/resolv.conf on the device, including non-IP content in nameserver entries
  • Child processes spawned by network configuration binaries that are not /bin/echo, such as /bin/sh, wget, or nc
  • Inbound traffic to the DVRSearch service or Network.cgi endpoint containing shell metacharacters (;, |, `, $()) in DNS parameter fields

Detection Strategies

  • Inspect HTTP request bodies and query strings targeting Network.cgi for shell metacharacters in DNS-related parameters
  • Monitor DVRSearch protocol traffic for malformed or oversized DNS configuration fields
  • Correlate device configuration changes with the source IP of the originating request to identify unauthorized callers

Monitoring Recommendations

  • Log all administrative HTTP requests to GeoVision GV-I/O Box 4E devices and alert on anomalous parameter content
  • Capture egress traffic from GV-I/O Box devices to detect outbound connections initiated by injected commands
  • Audit /etc/resolv.conf integrity on a recurring basis and alert on unscheduled changes

How to Mitigate CVE-2026-12851

Immediate Actions Required

  • Restrict network access to GeoVision GV-I/O Box 4E management interfaces using firewall rules or network segmentation
  • Disable or block external exposure of the DVRSearch service and Network.cgi endpoint where feasible
  • Rotate any administrative credentials used to access the device, given the high-privilege requirement in the CVSS vector

Patch Information

No vendor patch is referenced in the NVD entry at publication time. Review the GeoVision Cyber Security Overview page for vendor advisories and firmware updates addressing CVE-2026-12851.

Workarounds

  • Place affected devices on an isolated management VLAN reachable only by trusted administrative hosts
  • Front the device with a reverse proxy that strips shell metacharacters from DNS configuration parameters
  • Disable remote configuration features and require physical or VPN-gated access for network setting changes
bash
# Example firewall rule to restrict access to the management interface
iptables -A INPUT -p tcp --dport 80 -s <trusted_admin_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p udp --dport 5201 -s <trusted_admin_subnet> -j ACCEPT
iptables -A INPUT -p udp --dport 5201 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.