CVE-2026-42363 GeoVision Inc. CVE debrief

Who should care

Organizations using GeoVision IP cameras, access control, or other GV-series devices managed through the GV-IP Device Utility, particularly those with flat network topologies where IoT management traffic shares broadcast domains with user devices.

Technical summary

The GeoVision GV-IP Device Utility 9.0.5 transmits device credentials in UDP broadcast packets using a Blowfish-derived encryption scheme where the symmetric key is included in the same packet. This security-through-obscurity design allows any network observer to decrypt captured traffic and recover plaintext credentials. Successful exploitation grants administrative control over affected GeoVision devices.

Defensive priority

critical

Recommended defensive actions

• Segment IoT device management traffic to isolated VLANs with no guest or untrusted device access
• Monitor for UDP broadcast traffic on ports used by GeoVision device discovery and management tools
• Implement network access control (NAC) to restrict which endpoints can communicate with GeoVision devices
• Audit and rotate credentials on all GeoVision devices managed by affected utility versions
• Contact GeoVision for patched utility version and apply security updates when available
• Consider disabling broadcast-based device discovery in favor of unicast or certificate-based authentication where supported

Evidence notes

Vulnerability disclosed via NVD with CVSS 9.3 (CRITICAL). Source references include Talos Intelligence vulnerability reports and GeoVision security page. NVD status marked as 'Deferred' as of 2026-05-19.

Official resources