CVE-2026-12849 GeoVision Inc. CVE debrief

Who should care

Organizations using GeoVision GV-I/O Box 4E 2.09 should prioritize patching this vulnerability. Attackers can exploit this vulnerability to execute commands on the device, potentially leading to unauthorized access and data breaches. Given the critical severity (CVSS score of 9.1), immediate action is recommended.

Technical summary

The libNetSetObj.so library, used in GeoVision GV-I/O Box 4E 2.09, has multiple OS command injection vulnerabilities. The CNetSetObj::m_F_n_Set_Net_Mask function is particularly vulnerable, as it uses sprintf to construct a command string with user-controlled input (netmask_addr) and then executes it using system without any sanitization. This allows attackers to inject malicious commands. The vulnerability is accessible via the DVRSearch service and Network.cgi endpoint, making it a high-risk issue.

Defensive priority

High priority should be given to patching this vulnerability due to its critical severity and potential for exploitation. Organizations should ensure that their GeoVision GV-I/O Box 4E devices are updated to a version that fixes these vulnerabilities.

Recommended defensive actions

• Apply patches or updates provided by the vendor to fix the vulnerabilities in libNetSetObj.so.
• Implement network segmentation to limit access to the affected devices.
• Monitor network traffic for suspicious activity related to the DVRSearch service and Network.cgi endpoint.
• Conduct regular security audits to identify and address potential vulnerabilities.
• Consider compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent exploitation attempts.

Evidence notes

The CVE-2026-12849 entry provides detailed information about the vulnerabilities, including the affected product, CVSS score, and references to source reports. The source item from nvd_modified includes additional metadata and references to vulnerability reports from Talos Intelligence and GeoVision's cybersecurity page.

Official resources