CVE-2026-12851
Received Received - Intake
Command Injection in GeoVision GV-I/O Box 4E

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_DNS_Addr command injection The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2) { int result; // r0 char v5[80]; // [sp+0h] [bp-50h] BYREF if ( !dns1 ) result = 0; if ( dns1 ) { sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field system(v5); if ( dns2 ) { sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2); system(v5); } return 1; } return result;
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12851
EUVD
EUVD-2026-38653
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
geovision gv-i/o_box 2.09
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a multiple OS command injection issue found in the libNetSetObj.so library of the GeoVision GV-I/O Box 4E version 2.09. It occurs because a function that sets DNS addresses does not sanitize input before passing it to the system command. An attacker can send a specially crafted network packet containing malicious DNS address input, which is then executed by the system, allowing arbitrary command execution on the device.

Specifically, the function CNetSetObj::m_F_n_Set_DNS_Addr takes up to two DNS addresses, uses them directly in system calls without validation, and is accessible via network-exposed services like DVRSearch and Network.cgi, making remote exploitation possible.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary operating system commands remotely on the affected device. This can lead to full compromise of the device, including unauthorized access, data manipulation, disruption of services, and potentially using the device as a foothold to attack other systems within the network.

Given the high CVSS score of 9.1, the vulnerability poses a critical risk with high impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for specially crafted packets sent to the DVRSearch service or the Network.cgi endpoint that attempt to inject commands via the DNS address fields.

Since the vulnerability involves command injection through DNS address parameters, you can look for unusual or suspicious network requests containing shell metacharacters or commands in the DNS fields.

On the device itself, you can check the contents of /etc/resolv.conf for unexpected entries or commands that may have been injected.

  • Use network packet capture tools (e.g., tcpdump or Wireshark) to filter traffic to the DVRSearch service or Network.cgi endpoint and inspect for suspicious payloads.
  • Example tcpdump command to capture traffic to the device on port 80 (assuming Network.cgi is accessed via HTTP): tcpdump -i <interface> tcp port 80 -w capture.pcap
  • On the device, check /etc/resolv.conf for unexpected entries: cat /etc/resolv.conf
Mitigation Strategies

Immediate mitigation steps include restricting network access to the vulnerable services (DVRSearch and Network.cgi) to trusted hosts only.

Disabling or blocking access to these services from untrusted networks can prevent exploitation.

Additionally, monitor and audit the /etc/resolv.conf file for unauthorized changes and restore it if necessary.

Applying any available patches or updates from the vendor that address this vulnerability is recommended as a long-term fix.

Compliance Impact

This vulnerability allows remote attackers to execute arbitrary commands on the affected device, potentially leading to unauthorized access, data manipulation, or disruption of services.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity.

Specifically, the high severity of this vulnerability (CVSS 9.1) and its ability to compromise confidentiality, integrity, and availability (C:H/I:H/A:H) indicate a significant risk to regulatory compliance if exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart