CVE-2026-4860
Received Received - Intake
Remote Deserialization Vulnerability in wvp-GB28181-pro API Endpoint

Publication date: 2026-03-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4860
EUVD
EUVD-2026-16145
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
fastjson fastjson 2.0.57
spring_project spring_boot *
redis redis *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to complete server compromise remotely without authentication if unauthenticated write endpoints exist, or with low privileges otherwise.

  • Full confidentiality breach: attackers can read all data stored in Redis, including sensitive video streams, credentials, and configuration.
  • Integrity compromise: attackers can modify application state, video streams, user permissions, and inject malicious data.
  • Availability impact: attackers can crash the application, disrupt video streaming, delete data, or use the server as a pivot for lateral movement.

In video surveillance platforms, this can lead to manipulation of live video streams, disabling of cameras, and compromise of physical security infrastructure.

Executive Summary

CVE-2026-4860 is a critical remote code execution (RCE) vulnerability in the wvp-GB28181-pro web application version 2.7.4. It arises from unsafe Redis template configuration where the application uses FastJSON's GenericFastJsonRedisSerializer with AutoType enabled by default. This allows attackers to send malicious JSON payloads containing a crafted @type field that specifies arbitrary classes to be instantiated during deserialization.

When the application reads these malicious JSON payloads from Redis, FastJSON deserializes them and instantiates attacker-specified classes, which can execute malicious code remotely without authentication. This vulnerability affects the Redis serialization configuration and multiple service classes that read from Redis without validation.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious JSON payloads containing the `@type` field with unusual values such as `JdbcRowSetImpl` or JNDI URLs like `ldap://` and `rmi://` in Redis data or API requests.

Indicators include unexpected Redis key structures, anomalous JNDI/LDAP network connections, Java processes spawning child processes unexpectedly, and application crashes triggered by Redis reads.

Suggested detection commands and methods include:

  • Use Redis CLI to scan for keys and inspect values for suspicious `@type` fields, e.g., `redis-cli KEYS '*'` and `redis-cli GET <key>`.
  • Monitor network traffic for outbound LDAP, RMI, or DNS connections that could indicate JNDI lookups, e.g., using `tcpdump` or `Wireshark` filtering on ports 389 (LDAP), 1099 (RMI), and DNS ports.
  • Check application logs for deserialization errors or unexpected behavior during Redis reads.
  • Implement Sigma detection rules for suspicious JNDI connections targeting LDAP/RMI/DNS ports.
Mitigation Strategies

Immediate mitigation steps include disabling the AutoType feature or restricting it to a safe whitelist in the FastJSON serializer configuration used by the Redis template.

Additionally, validate and sanitize all JSON data before storing or deserializing it from Redis to prevent malicious payloads.

Other important steps are to update FastJSON to a secure version that does not have AutoType vulnerabilities and to harden API endpoints by requiring authentication and limiting write access.

Monitoring Redis logs and network traffic for suspicious activity should also be implemented as part of ongoing defense.

Compliance Impact

CVE-2026-4860 enables remote code execution leading to full confidentiality, integrity, and availability compromise of the affected system. Attackers can read sensitive data stored in Redis, including credentials and video streams, modify application state and user permissions, and disrupt services.

Such a breach can result in unauthorized access to personal and sensitive information, violating data protection regulations like GDPR and HIPAA that mandate strict controls over data confidentiality and integrity.

The vulnerability's impact on data confidentiality and integrity, combined with the potential for service disruption, means organizations using the affected software may fail to meet compliance requirements related to data security, breach notification, and system availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart