GeoVision GV-IO Box 4E up to 2.09/2.11 Network libNetSetObj.so os command injection

Summaryinfo

A vulnerability was found in GeoVision GV-IO Box 4E up to 2.09/2.11. It has been rated as critical. Affected by this issue is some unknown functionality of the file libNetSetObj.so of the component Network Handler. The manipulation leads to os command injection. This vulnerability is documented as CVE-2026-12850. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in GeoVision GV-IO Box 4E up to 2.09/2.11. It has been rated as critical. This issue affects an unknown function of the file libNetSetObj.so of the component Network Handler. The manipulation with an unknown input leads to a os command injection vulnerability. Using CWE to declare the problem leads to CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Gate_way command injection The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev) { char s[324]; // [sp+4h] [bp-144h] BYREF if ( !dev && !*this || !gw ) return 0; system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0"); system("/sbin/route del default "); if ( dev ) sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string else sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string system(s); sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string system(s); return 1; }

The weakness was released by Philippe Laulheret. The advisory is shared at geovision.com.tw. The identification of this vulnerability is CVE-2026-12850 since 06/22/2026. The exploitation is known to be easy. The attack may be initiated remotely. The exploitation needs additional levels of successful authentication. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1202 for this issue.

Upgrading to version 2.12 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-38652). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• GeoVision

Name

• GV-IO Box 4E

Version

• 2.0
• 2.09
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.10
• 2.11

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion