OS Command Injection Vulnerabilities in GeoVision GV-I/O Box
CVE-2026-12851

9.1CRITICAL

Key Information:

Vendor: Geovision Inc.
Status: Gv-i/o Box 4e
Vendor: CVE Published:; 24 June 2026

🔔 Create Geovision Inc. Vulnerability Alert

What is CVE-2026-12851?

Multiple OS command injection vulnerabilities exist in the internal library libNetSetObj.so of the GeoVision GV-I/O Box 4E 2.09. These vulnerabilities allow an attacker to execute arbitrary commands by sending specially crafted network packets. The unauthorized command execution can be initiated through functions like m_F_n_Set_DNS_Addr, which performs no input sanitization and directly calls the system command with user-controlled input. This issue is accessible through network-exposed services such as DVRSearch and Network.cgi, highlighting a significant risk to the device's network configuration and overall security.

Affected Version(s)

GV-I/O Box 4E Linux V2.09

GV-I/O Box 4E Linux V2.12

References

https://www.geovision.com.tw/cyber_security.php

vendor-advisory

https://talosintelligence.com/vulnerability_reports/TALOS...

third-party-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

Philippe Laulheret of Cisco Talos

Kelly Patterson of Cisco Talos

Robert Sherwin of Cisco Talos

CVE-2026-12851 Data

JSON