FKIE_CVE-2026-12850
Vulnerability from fkie_nvd - Published: 2026-06-24 05:17 - Updated: 2026-06-25 14:02
Severity ?
Summary
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_Gate_way command injection
The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)
{
char s[324]; // [sp+4h] [bp-144h] BYREF
if ( !dev && !*this || !gw )
return 0;
system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");
system("/sbin/route del default ");
if ( dev )
sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string
else
sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
return 1;
}
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "GV-I/O Box 4E",
"vendor": "GeoVision Inc.",
"versions": [
{
"status": "affected",
"version": "V2.09"
},
{
"status": "unaffected",
"version": "V2.12"
}
]
}
],
"source": "0df08a0e-a200-4957-9bb0-084f562506f9"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.\n\n\n`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)\n\n\n#### CNetSetObj::m_F_n_Set_Gate_way command injection\n\nThe following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. \n\n\n\n\n\n int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)\n\n {\n\n char s[324]; // [sp+4h] [bp-144h] BYREF\n\n\n\n if ( !dev \u0026\u0026 !*this || !gw )\n\n return 0;\n\n system(\"/sbin/route del -net 224.0.0.0 netmask 224.0.0.0\");\n\n system(\"/sbin/route del default \");\n\n if ( dev )\n\n sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, dev); //attacker controlled gw string\n\n else\n\n sprintf(s, \"/sbin/route add default gw %s dev %s\", gw, *this); //attacker controlled gw string\n\n system(s);\n\n sprintf(s, \"/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s\", gw, *this); //attacker controlled gw string\n\n system(s);\n\n return 1;\n\n }"
}
],
"id": "CVE-2026-12850",
"lastModified": "2026-06-25T14:02:35.347",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-12850",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T12:51:53.369783Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-24T05:17:27.020",
"references": [
{
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2379"
},
{
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"url": "https://www.geovision.com.tw/cyber_security.php"
}
],
"sourceIdentifier": "0df08a0e-a200-4957-9bb0-084f562506f9",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "0df08a0e-a200-4957-9bb0-084f562506f9",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…