Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57268

CVE-2026-57268: GeoWebPlayer RCE Vulnerability

CVE-2026-57268 is a remote code execution flaw in GeoVision GeoWebPlayer caused by unchecked index values in the saveVideo command. Attackers can exploit out-of-bounds array access to execute arbitrary code via function pointers.

Published:

CVE-2026-57268 Overview

CVE-2026-57268 is an out-of-bounds access vulnerability [CWE-129] in GeoVision GeoWebPlayer, also known as "Web Plugin" in GV-VMS documentation and "WS Player" for VMS-Cloud. The addon runs a local WebSocket server that expands the capabilities of GeoVision web interfaces. The saveVideo command accepts an attacker-controlled index value that is used to access internal arrays without range validation. An attacker who convinces a local user to visit a malicious page can trigger the flaw and potentially execute arbitrary code through an out-of-bounds function pointer dereference.

Critical Impact

Successful exploitation can lead to code execution via an out-of-bounds virtual function pointer read triggered from a browser-originated WebSocket message.

Affected Products

  • GeoVision GeoWebPlayer (Web Plugin)
  • GeoVision GV-VMS with Web Plugin installed
  • GeoVision GV-Cloud / VMS-Cloud with WS Player

Discovery Timeline

  • 2026-07-02 - CVE-2026-57268 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-57268

Vulnerability Analysis

GeoWebPlayer installs a local WebSocket server that receives JSON commands from localhost. Several commands, including saveVideo, extract an index integer from the message and use it directly to index internal arrays. The service does not validate that index falls within the bounds of crit_sections[] or array_of_IPCams[].

When processing saveVideo, the handler first calls CCriticalSection::EnterCritSection(&this->crit_sections[index]). It then dispatches a message to this->array_of_IPCams[index] if that pointer is non-null. Finally it invokes a virtual method through this->crit_sections[index].vtbl + 20. Because index is attacker-controlled, the vtable pointer is read from an arbitrary memory location, and calling through it can yield arbitrary code execution in the context of the GeoWebPlayer process.

Root Cause

The root cause is improper validation of an array index [CWE-129]. The handler trusts the index field parsed by json_value_to_int after only confirming it is an integer with json_is_value_int. No lower or upper bound is enforced before it is used to compute pointers into fixed-size arrays.

Attack Vector

Exploitation requires user interaction. A victim must load a web page that connects to the local WebSocket server exposed by GeoWebPlayer and send a crafted saveVideo message. Because the socket listens on localhost, any browser tab or local application can reach it. The attacker chooses an index that points to memory containing a controlled vtable, causing the virtual call at offset +20 to redirect execution.

See the Talos Intelligence Vulnerability Report for the annotated pseudocode of the vulnerable handler.

Detection Methods for CVE-2026-57268

Indicators of Compromise

  • Unexpected WebSocket connections to the GeoWebPlayer listener from browser processes visiting untrusted domains.
  • Crashes or abnormal termination of the GeoWebPlayer / Web Plugin / WS Player process on endpoints running GeoVision software.
  • saveVideo command messages containing out-of-range or negative index values in local WebSocket traffic captures.

Detection Strategies

  • Inspect loopback WebSocket traffic on hosts with GeoVision products for JSON payloads referencing saveVideo with unusually large index values.
  • Monitor for child processes or in-memory code execution originating from the GeoWebPlayer process.
  • Correlate browser navigation events with subsequent GeoWebPlayer crashes to identify drive-by exploitation attempts.

Monitoring Recommendations

  • Enable process and module load logging on endpoints running GV-VMS, GV-Cloud, or VMS-Cloud clients.
  • Alert on GeoWebPlayer service restarts and Windows Error Reporting entries referencing its executable.
  • Capture and retain localhost WebSocket telemetry from workstations that operate video management consoles.

How to Mitigate CVE-2026-57268

Immediate Actions Required

  • Inventory endpoints where GeoWebPlayer, Web Plugin, or WS Player is installed alongside GeoVision software.
  • Restrict browser access to untrusted sites from workstations that operate GV-VMS or GV-Cloud interfaces.
  • Stop or disable the GeoWebPlayer WebSocket service on systems that do not require the web interface.

Patch Information

No fixed version is listed in the NVD entry at publication time. Consult the GeoVision Cyber Security Overview for vendor advisories and updated builds, and review the Talos Intelligence Vulnerability Report for technical coordination details.

Workarounds

  • Uninstall GeoWebPlayer where the web-based interface is not required for daily operations.
  • Block outbound access from workstations to arbitrary web content when they are used to manage GeoVision systems.
  • Use host firewall rules to limit which local processes may connect to the GeoWebPlayer WebSocket port.
bash
# Example: block non-browser access to the local WebSocket listener on Windows
# Replace <PORT> with the port used by GeoWebPlayer on your deployment
netsh advfirewall firewall add rule name="Block GeoWebPlayer WS" ^
  dir=in action=block protocol=TCP localport=<PORT> remoteip=127.0.0.1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.