CVE-2026-12486
Received Received - Intake
Command Injection in GeoVision GV-I/O Box

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_IP_Addr command injection The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = ip_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address system(v4); return 1; }
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12486
EUVD
EUVD-2026-38650
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
geovision gv-i/o_box 2.09
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to unauthorized access, data manipulation, or disruption of services.

Such unauthorized access and control over network configuration could result in breaches of confidentiality, integrity, and availability of data, which are critical aspects of compliance with standards like GDPR and HIPAA.

Failure to address this vulnerability could therefore lead to non-compliance with these regulations due to potential exposure of personal or sensitive data and inadequate protection of networked systems.

Executive Summary

CVE-2026-12486 is a high severity OS command injection vulnerability found in the GeoVision GV-I/O Box 4E version 2.09. It exists in the libNetSetObj.so library, which is responsible for configuring network settings such as IP address, netmask, gateway, and DNS. The vulnerability arises because certain functions take user-supplied input (like an IP address) without proper sanitization and pass it directly to system commands. This allows an attacker to send a specially crafted network packet that can execute arbitrary commands on the device remotely.

Impact Analysis

This vulnerability can have severe impacts because it allows remote attackers to execute arbitrary commands on the affected device with high privileges. This can lead to complete compromise of the device, including unauthorized access, data manipulation, disruption of network services, and potentially using the device as a foothold to attack other systems within the network.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for specially crafted packets targeting the GeoVision GV-I/O Box 4E services, specifically the DVRSearch service and the Network.cgi endpoint, which are known to be vulnerable.

Since the vulnerability involves command injection via IP address configuration commands, detection can include checking for unusual or unexpected commands executed on the device, especially those invoking /sbin/ifconfig with suspicious parameters.

  • Use network packet capture tools like tcpdump or Wireshark to filter traffic to the device on ports used by DVRSearch or HTTP requests to Network.cgi.
  • Example tcpdump command to capture traffic to the device (replace <device_ip> and <port>): tcpdump -i any host <device_ip> and port <port> -w capture.pcap
  • Inspect logs or use commands on the device to check for suspicious system calls or executed commands, such as: ps aux | grep ifconfig
  • Check for unexpected changes in network configuration that could indicate exploitation.
Mitigation Strategies

Immediate mitigation steps include applying the vendor's patch released on April 28, 2026, which addresses the command injection vulnerabilities in libNetSetObj.so.

Until the patch can be applied, restrict network access to the vulnerable services (DVRSearch and Network.cgi) by implementing firewall rules or network segmentation to limit exposure.

Monitor the device for suspicious activity and consider disabling or restricting the use of the vulnerable network configuration services if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart