PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42369 GeoVision Inc. CVE debrief

A critical stack-based buffer overflow vulnerability exists in the WebCam Server component of GV-VMS V20 video monitoring software. The vulnerability resides in the `gvapi` endpoint's base64 decoding routine, where a dynamically sized decoded string is copied to a fixed 256-byte stack buffer without bounds checking. An attacker can exploit this by sending an HTTP request with a maliciously crafted Authorization header containing a base64-encoded string exceeding 256 characters. The WebCam Server binary is compiled without Address Space Layout Randomization (ASLR), significantly reducing exploitation complexity and enabling reliable code execution. Successful exploitation grants SYSTEM-level privileges on the affected host. The vulnerability is network-accessible and requires no authentication, as the `gvapi` endpoint uses a separate authentication mechanism that does not prevent the vulnerable code path from being reached.

Vendor
GeoVision Inc.
Product
GV-VMS V20.0.2
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-04
Original CVE updated
2026-05-19
Advisory published
2026-05-04
Advisory updated
2026-05-19

Who should care

Security operations teams managing physical security infrastructure; network administrators with surveillance camera management systems; incident responders in critical infrastructure, healthcare, and enterprise environments using GeoVision VMS products; vulnerability management programs tracking unauthenticated remote code execution in native applications.

Technical summary

The WebCam Server in GV-VMS V20 exposes a `gvapi` endpoint that processes HTTP Authorization headers. The endpoint supports Basic and Digest authentication modes. During processing, base64-encoded credentials are decoded to a dynamically allocated buffer, then copied character-by-character to a 256-byte fixed stack buffer (`Buffer`) without length validation. A decoded string exceeding 256 bytes causes stack corruption. The absence of ASLR in the WebCam Server binary allows predictable memory layouts, facilitating reliable exploitation for arbitrary code execution with SYSTEM privileges. The vulnerability is reachable without prior authentication through the `gvapi` endpoint's independent authentication handler.

Defensive priority

P0 - Immediate Action Required

Recommended defensive actions

  • Immediately restrict network access to GV-VMS V20 WebCam Server endpoints at the firewall or network segmentation layer; do not expose to untrusted networks or the internet
  • Apply vendor security updates from GeoVision when available; monitor https://www.geovision.com.tw/cyber_security.php for patch releases
  • If remote access is required, implement VPN or zero-trust access controls in front of WebCam Server rather than direct exposure
  • Conduct asset inventory to identify all GV-VMS V20 deployments with WebCam Server enabled
  • Review WebCam Server logs for anomalous HTTP requests to /gvapi with oversized Authorization headers as potential exploitation indicators
  • Disable WebCam Server feature if not business-critical until patching is complete
  • Deploy endpoint detection and response (EDR) solutions on hosts running GV-VMS to detect anomalous process behavior

Evidence notes

Vulnerability description sourced from NVD record. CVSS 3.1 vector confirms network attack vector, low attack complexity, no privileges required, no user interaction, and changed scope with high impact across confidentiality, integrity, and availability. CWE-787 (Out-of-bounds Write) identified as secondary weakness. Vendor references point to GeoVision security advisories and Cisco Talos vulnerability reports.

Official resources

Published 2026-05-04; modified 2026-05-19. No CISA KEV entry as of analysis date.