CVE-2026-12850 GeoVision Inc. CVE debrief

Who should care

Organizations using GeoVision GV-I/O Box 4E 2.09 devices should prioritize patching this vulnerability to prevent potential attacks. The vulnerability's high severity and ease of exploitation make it a critical concern for defenders. Additionally, security teams should monitor network traffic and system logs for potential exploitation attempts.

Technical summary

The libNetSetObj.so library is used to configure the network stack on GeoVision GV-I/O Box 4E 2.09 devices. The CNetSetObj::m_F_n_Set_Gate_way function is vulnerable to OS command injection due to a lack of sanitization on the gateway address string. This function is called by various binaries on the device and is reachable from the DVRSearch service and Network.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted network packet to trigger command execution.

Defensive priority

High

Recommended defensive actions

• Apply patches or updates provided by the vendor to fix the vulnerability.
• Monitor network traffic and system logs for potential exploitation attempts.
• Implement additional security controls, such as network segmentation and access controls, to limit the attack surface.
• Conduct regular vulnerability assessments and penetration testing to identify and address potential vulnerabilities.
• Consider implementing compensating controls, such as intrusion detection and prevention systems, to detect and prevent exploitation attempts.

Evidence notes

The CVE-2026-12850 vulnerability was reported by Talos Intelligence and is publicly disclosed. The vulnerability exists in the libNetSetObj.so library used by GeoVision GV-I/O Box 4E 2.09 devices. The vulnerability is caused by a lack of sanitization in the CNetSetObj::m_F_n_Set_Gate_way function, which allows an attacker to inject OS commands. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.

Official resources