CVE-2026-12849
Received Received - Intake
Command Injection in GeoVision GV-I/O Box 4E

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Net_Mask command injection The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = netmask_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr system(v4); return 1; }
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12849
EUVD
EUVD-2026-38651
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
geovision gv-i/o_box 2.09
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a multiple OS command injection issue found in the libNetSetObj.so functionality of the GeoVision GV-I/O Box 4E version 2.09. It occurs because a function that sets the network mask address takes input from a network request without sanitizing it and then uses that input in a system command call. This allows an attacker to craft a malicious network packet that can execute arbitrary commands on the device.

Specifically, the function CNetSetObj::m_F_n_Set_Net_Mask constructs a command string using the provided netmask address and calls the system function to execute it. Since the netmask address is attacker-controlled and not sanitized, this leads to command injection.

The vulnerability can be triggered remotely via the network-exposed DVRSearch service or the Network.cgi endpoint.

Compliance Impact

This vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to unauthorized access, data manipulation, or disruption of services.

Such unauthorized access and control over the device could result in breaches of confidentiality, integrity, and availability of data, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches or service disruptions.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary operating system commands on the affected device remotely.

  • Complete compromise of the device by executing malicious commands.
  • Potential disruption of network services by altering network configurations.
  • Loss of confidentiality, integrity, and availability of the device and possibly the network it is connected to.
  • Because the CVSS score is 9.1 (Critical), the vulnerability is highly exploitable with low complexity and can lead to high impact on confidentiality, integrity, and availability.
Detection Guidance

This vulnerability can be detected by monitoring network traffic for specially crafted packets sent to the DVRSearch service or the Network.cgi endpoint, which trigger the vulnerable function.

Since the vulnerability involves command injection via the netmask parameter, detection can involve checking for unusual or malformed netmask values in network requests.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable services (DVRSearch and Network.cgi endpoints) to trusted networks only.

Additionally, monitoring and filtering network packets to block specially crafted requests targeting the netmask parameter can help reduce risk.

Applying any available patches or updates from the vendor is recommended once they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart