OS Command Injection Vulnerability in GeoVision GV-I/O Box Product
CVE-2026-12486

9.1CRITICAL

Key Information:

Vendor: Geovision Inc.
Status: Gv-i/o Box 4e
Vendor: CVE Published:; 24 June 2026

🔔 Create Geovision Inc. Vulnerability Alert

What is CVE-2026-12486?

Multiple OS command injection vulnerabilities have been identified in the libNetSetObj.so functionality of the GeoVision GV-I/O Box. These vulnerabilities are exploitable through specially crafted network packets that can lead to unauthorized command execution. One notable issue involves the CNetSetObj::m_F_n_Set_IP_Addr function, which fails to properly sanitize input before invoking the system command. This function can be accessed through the network-exposed DVRSearch service and the Network.cgi endpoint, allowing attackers to execute arbitrary commands on the device. It is crucial for users of the GV-I/O Box to implement security measures to mitigate the risks associated with these vulnerabilities.

Affected Version(s)

GV-I/O Box 4E Linux V2.09

GV-I/O Box 4E Linux V2.12

References

https://www.geovision.com.tw/cyber_security.php

vendor-advisory

https://talosintelligence.com/vulnerability_reports/TALOS...

third-party-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

Philippe Laulheret of Cisco Talos

Kelly Patterson of Cisco Talos

Robert Sherwin of Cisco Talos

CVE-2026-12486 Data

JSON