CVE-2026-42367 Overview
CVE-2026-42367 is a privilege escalation vulnerability in the Web Interface ssi.cgi functionality of GeoVision LPC2011 and LPC2211 firmware version 1.10. A specially crafted HTTP request triggers a credentials leak that an authenticated low-privilege attacker can use to obtain higher-privilege account material. The flaw is reachable over the network and requires no user interaction. The weakness is classified under CWE-522: Insufficiently Protected Credentials.
Critical Impact
An authenticated attacker on the network can issue an HTTP request to ssi.cgi and retrieve credentials, enabling privilege escalation against affected GeoVision license plate capture devices.
Affected Products
- GeoVision GV-LPC2011 (firmware 1.10)
- GeoVision GV-LPC2211 (firmware 1.10)
- Web Interface component ssi.cgi
Discovery Timeline
- 2026-05-04 - CVE-2026-42367 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42367
Vulnerability Analysis
The vulnerability resides in the ssi.cgi handler exposed by the web management interface of GeoVision GV-LPC2011 and GV-LPC2211 devices running firmware 1.10. When the handler processes a specifically structured HTTP request, it returns sensitive credential material in the response. An attacker holding low-privilege credentials, or who can persuade an authenticated user to load a malicious page, can harvest those credentials and authenticate as a higher-privilege account.
The issue maps to CWE-522: Insufficiently Protected Credentials. Credentials that should remain server-side are returned in the rendered output of the CGI endpoint, breaking the principle of least privilege for the management interface. The current EPSS probability is 0.02%, indicating low observed exploitation interest at this time.
Root Cause
The root cause is improper handling of credential data within ssi.cgi. The endpoint includes credential fields in the response payload instead of redacting or omitting them before rendering. Combined with permissive access controls that allow low-privilege users to reach the handler, the disclosure becomes a viable privilege escalation primitive.
Attack Vector
Exploitation requires network reachability to the device's web interface and a valid low-privilege session. The attacker submits a crafted HTTP GET or POST to ssi.cgi and parses the response for leaked credentials. Alternatively, an attacker can host a webpage that triggers the vulnerable request through an already-authenticated browser session, capturing the leaked credentials for reuse against the management interface.
No public proof-of-concept exploit code has been verified for this vulnerability. Refer to the Talos Intelligence Vulnerability Reports and the GeoVision Cybersecurity Information page for additional technical details.
Detection Methods for CVE-2026-42367
Indicators of Compromise
- HTTP requests to /ssi.cgi originating from low-privilege user sessions or unexpected source addresses.
- HTTP responses from ssi.cgi containing credential field names or password-like strings in body content.
- Successful administrative logins to the GeoVision web interface from accounts that previously held only low-privilege roles.
- Repeated ssi.cgi access patterns followed by privileged configuration changes on GV-LPC2011 or GV-LPC2211 devices.
Detection Strategies
- Inspect web server and reverse proxy logs for ssi.cgi requests and correlate them with subsequent authentication events.
- Deploy network sensors to flag HTTP responses from device management interfaces that contain credential keywords such as password, passwd, or pwd.
- Baseline normal administrative request patterns to the GeoVision web UI and alert on deviations from low-privilege accounts.
Monitoring Recommendations
- Forward GeoVision device logs and upstream proxy logs into a centralized logging or SIEM platform for retention and correlation.
- Monitor for lateral movement following any anomalous access to ssi.cgi, including new sessions to other internal management interfaces.
- Alert on configuration changes to camera or LPC management settings outside of approved change windows.
How to Mitigate CVE-2026-42367
Immediate Actions Required
- Restrict network access to the GeoVision LPC2011 and LPC2211 web interface to trusted management subnets only.
- Audit user accounts on affected devices and remove unnecessary low-privilege accounts that can reach ssi.cgi.
- Rotate all administrative and service credentials configured on affected devices, assuming prior exposure.
- Review device logs for any historical access to ssi.cgi from non-administrative users.
Patch Information
GeoVision publishes firmware updates and security notices on the GeoVision Cybersecurity Information page. Apply the vendor-provided firmware update for GV-LPC2011 and GV-LPC2211 once it supersedes version 1.10. Verify firmware integrity after upgrade and confirm that ssi.cgi no longer returns credential fields in its response.
Workarounds
- Place affected devices behind a VPN or network access control layer that limits the web interface to authorized administrators.
- Block external HTTP and HTTPS access to the device management ports at the perimeter firewall.
- Disable or remove low-privilege user accounts on affected devices until firmware is updated.
- Deploy a reverse proxy with an access control list that denies requests to the ssi.cgi path from non-administrative source addresses.
# Example iptables rule limiting access to the GeoVision web interface
iptables -A INPUT -p tcp --dport 80 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
