CVE-2026-4860 Overview
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to version 2.7.4. This vulnerability affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java within the API Endpoint component. The manipulation results in insecure deserialization, allowing attackers to potentially execute arbitrary code or manipulate application behavior. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Critical Impact
This insecure deserialization vulnerability in the Redis configuration component could allow remote attackers to execute malicious code by exploiting the GenericFastJsonRedisSerializer function through crafted serialized objects sent to the API endpoint.
Affected Products
- wvp-GB28181-pro versions up to 2.7.4
- Applications utilizing the affected RedisTemplateConfig.java component
- Systems with exposed API endpoints configured with the vulnerable FastJson Redis serializer
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-4860 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-4860
Vulnerability Analysis
This vulnerability is classified as an insecure deserialization flaw (CWE-20: Improper Input Validation) affecting the wvp-GB28181-pro video platform project. The vulnerable component resides in the Redis template configuration where the GenericFastJsonRedisSerializer class is used to handle serialization and deserialization of objects stored in Redis cache.
FastJSON has a history of deserialization vulnerabilities, and when improperly configured, it can allow attackers to instantiate arbitrary Java objects during the deserialization process. In this case, the API endpoint accepts serialized data that is processed by the vulnerable serializer without adequate validation, potentially enabling remote code execution.
The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it particularly dangerous for internet-facing deployments of the wvp-GB28181-pro platform.
Root Cause
The root cause of this vulnerability lies in the unsafe use of GenericFastJsonRedisSerializer within the RedisTemplateConfig.java file. FastJSON's auto-type feature, when enabled or improperly restricted, allows the deserialization of arbitrary Java classes specified in the JSON payload. This can be exploited to instantiate gadget classes that execute malicious code during object construction or destruction.
The application fails to implement proper type filtering or whitelisting mechanisms that would restrict which classes can be deserialized, leaving the system vulnerable to object injection attacks through the Redis-backed API endpoints.
Attack Vector
The attack is conducted remotely over the network. An attacker can craft a malicious serialized payload containing references to dangerous Java classes (gadget chains) and submit it to the vulnerable API endpoint. When the application processes this payload through the GenericFastJsonRedisSerializer, the malicious classes are instantiated, potentially leading to arbitrary code execution on the server.
The attack does not require authentication or user interaction, and can be launched by any network-accessible attacker who can reach the vulnerable API endpoint. For detailed technical analysis and proof-of-concept information, refer to the GitHub Issue Report and VulDB entry #353191.
Detection Methods for CVE-2026-4860
Indicators of Compromise
- Unusual JSON payloads containing @type fields with unexpected or suspicious class references in API requests
- Redis cache entries containing serialized objects with references to known FastJSON gadget classes
- Unexpected process execution or network connections originating from the application server
- Log entries showing deserialization errors or class instantiation failures for unusual class names
Detection Strategies
- Monitor API endpoint traffic for JSON payloads containing FastJSON auto-type indicators such as @type, $ref, or class name references
- Implement application-level logging to capture all deserialization operations and flag attempts to instantiate suspicious classes
- Deploy Web Application Firewall (WAF) rules to detect and block common FastJSON deserialization attack patterns
- Review Redis cache contents periodically for signs of injected malicious serialized objects
Monitoring Recommendations
- Enable detailed logging for the RedisTemplateConfig component and associated API endpoints
- Set up alerts for failed deserialization attempts or exceptions related to class loading
- Monitor system resource usage for anomalies that could indicate post-exploitation activity
- Implement network traffic analysis to detect outbound connections from the application that could indicate successful exploitation
How to Mitigate CVE-2026-4860
Immediate Actions Required
- Restrict network access to the vulnerable API endpoints using firewall rules or network segmentation
- Disable or remove the GenericFastJsonRedisSerializer if not strictly required for application functionality
- Implement strict input validation and type whitelisting for all deserialization operations
- Review and audit all API endpoints that interact with Redis cache for similar vulnerabilities
Patch Information
No official patch has been released by the vendor at this time. The vendor was contacted early about this disclosure but did not respond in any way. Organizations using wvp-GB28181-pro should implement the workarounds described below and monitor the project repository for any future security updates.
For additional vulnerability intelligence, refer to the VulDB CTI entry and VulDB submission #776213.
Workarounds
- Replace GenericFastJsonRedisSerializer with a safer serialization mechanism such as Jackson with strict type handling
- Configure FastJSON SafeMode to disable auto-type functionality if continuing to use FastJSON
- Implement a custom deserializer with explicit class whitelisting that only allows known, safe types
- Deploy the application behind a reverse proxy with request filtering capabilities to block malicious payloads
# Configuration example - Disable FastJSON auto-type (if applicable)
# Add to application configuration or startup parameters
-Dfastjson.parser.safeMode=true
# Or implement network-level restrictions
# Example iptables rule to restrict API access to trusted networks only
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
