CVE-2026-42364
Modified Modified - Updated After Analysis
Command Injection in GeoVision LPC2011/LPC2211

Publication date: 2026-05-04

Last updated on: 2026-06-15

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description
An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-05-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42364
EUVD
EUVD-2026-26855
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
geovision gv-lpc2011_firmware 1.10
geovision gv-lpc2211_firmware 1.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-42364 vulnerability is a critical OS command injection flaw in GeoVision LPC2011/LPC2211 devices that allows arbitrary command execution. Such a vulnerability can lead to unauthorized access, data breaches, and system compromise, which may impact compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive data and secure system operation.

GeoVision maintains a comprehensive cybersecurity policy with structured vulnerability management, including prompt disclosure and remediation of critical vulnerabilities. Their adherence to recognized security standards and timely updates helps mitigate risks that could affect regulatory compliance.

However, the provided information does not explicitly detail the direct impact of this specific vulnerability on compliance with GDPR, HIPAA, or other regulations.

Executive Summary

This vulnerability is an OS command injection found in the DdnsSetting.cgi functionality of GeoVision LPC2011 and LPC2211 devices, version 1.10.

It occurs when a specially crafted DDNS configuration is submitted, allowing an attacker to execute arbitrary operating system commands.

The attacker can modify a configuration value to trigger this vulnerability.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary commands on the affected device.

  • Complete compromise of the device's operating system.
  • Potential unauthorized access to sensitive data.
  • Disruption of device availability or functionality.
  • Possibility for the attacker to use the device as a foothold for further network attacks.
Mitigation Strategies

To mitigate this vulnerability, it is important to apply any available security updates or patches provided by GeoVision as soon as possible.

GeoVision follows a structured vulnerability management process that includes prompt release of fixes for critical vulnerabilities such as this one, so regularly checking for and applying firmware or software updates is recommended.

Additionally, restricting access to the DDNS configuration interface and monitoring for unauthorized configuration changes can help reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42364. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart