CVE-2026-7372 Overview
CVE-2026-7372 is a stack overflow vulnerability in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. The flaw resides in the HTTP authentication handler, where an unconstrained sscanf call parses the decoded authorization header into fixed-size 40-byte stack buffers for the username and password. Unauthenticated attackers can send a crafted HTTP request to trigger the overflow and potentially achieve arbitrary code execution as SYSTEM on the host running the service. The issue is tracked under CWE-787 (Out-of-bounds Write).
Critical Impact
An unauthenticated network attacker can corrupt the call stack of the WebCam Server process and execute arbitrary code with SYSTEM privileges on the GV-VMS host.
Affected Products
- GeoVision GV-VMS V20 version 20.0.2
- GeoVision GV-VMS firmware (matching vulnerable build)
- Deployments exposing the WebCam Server login endpoint over HTTP
Discovery Timeline
- 2026-05-04 - CVE-2026-7372 published to the National Vulnerability Database
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7372
Vulnerability Analysis
The vulnerability lives in the WebCam Server component that handles HTTP Basic authentication for GV-VMS. After Base64-decoding the Authorization header into an internal Buffer variable, the service calls sscanf to split the decoded string into separate username and password fields using a colon delimiter.
Both destination variables are allocated as 40-byte arrays on the stack. The format string passed to sscanf does not include a width specifier, so the function copies bytes until it encounters the delimiter or end of input. Any decoded username or password longer than 40 characters writes past the destination buffer and corrupts adjacent stack memory, including the saved return address.
Because the request is processed before authentication completes, no credentials or prior session are required. A successful exploit yields code execution in the security context of the WebCam Server process, which runs as SYSTEM on Windows hosts.
Root Cause
The root cause is missing length validation in the call to sscanf. The format string lacks a maximum field width such as %39s, allowing attacker-controlled input to overflow fixed-size stack buffers. This is a classic CWE-787 out-of-bounds write that maps to the stack-based buffer overflow class CWE-121.
Attack Vector
The attack vector is network-based. An attacker reachable on the WebCam Server HTTP port crafts an Authorization: Basic header whose Base64-decoded payload contains a username or password longer than 40 bytes. The malformed credential string forces sscanf to write past the stack frame.
Exploitation reliability is reduced by constraints on the input bytes. The Base64 decoding step and the colon-delimited sscanf parsing prevent embedded null bytes and certain control characters, which complicates shellcode staging but does not prevent stack frame corruption or return-address control. Refer to the GeoVision Cyber Security Resources and Talos Intelligence Vulnerability Reports for additional technical details.
Detection Methods for CVE-2026-7372
Indicators of Compromise
- HTTP requests to the GV-VMS WebCam Server containing Authorization: Basic headers whose decoded payload exceeds 80 bytes before the colon delimiter.
- Unexpected crashes, restarts, or access violations in the WebCam Server process recorded in Windows Application or WER event logs.
- Outbound connections from the GV-VMS host to unfamiliar IP addresses immediately following inbound HTTP authentication attempts.
Detection Strategies
- Inspect HTTP traffic to the WebCam Server and flag Basic authentication headers whose decoded length is anomalous compared to legitimate clients.
- Monitor the WebCam Server process for child process creation, unexpected DLL loads, or memory regions transitioning to executable, all of which indicate post-overflow code execution.
- Correlate authentication failures, process crashes, and new outbound network sessions on GV-VMS hosts within short time windows.
Monitoring Recommendations
- Forward GV-VMS host telemetry, IIS or embedded web server logs, and Windows Security events to a centralized SIEM for correlation.
- Alert on any process spawned by the WebCam Server binary, since legitimate operation rarely requires shell or scripting interpreters.
- Track inbound connections to the WebCam Server from networks that are not part of the documented camera management VLAN.
How to Mitigate CVE-2026-7372
Immediate Actions Required
- Restrict network access to the GV-VMS WebCam Server to trusted management subnets using firewall rules or ACLs.
- Disable the WebCam Server feature on GV-VMS deployments where it is not actively required.
- Enforce HTTPS and place the management interface behind a VPN or zero-trust gateway to limit unauthenticated reachability.
Patch Information
GeoVision tracks security fixes on its GeoVision Cyber Security Resources page. Administrators should consult that advisory portal for the patched GV-VMS V20 build that addresses CVE-2026-7372 and apply it on all affected installations. Until a fixed build is deployed, treat the WebCam Server endpoint as untrusted and unauthenticated-reachable.
Workarounds
- Block external access to the WebCam Server HTTP port at the network perimeter and on host firewalls.
- Place GV-VMS servers on an isolated VLAN with strict ingress filtering from camera operators only.
- Deploy a reverse proxy or web application firewall that rejects Authorization: Basic headers whose decoded credential fields exceed 40 bytes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
