CVE-2026-12485 (GCVE-0-2026-12485)
Vulnerability from cvelistv5 – Published: 2026-06-24 03:34 – Updated: 2026-06-24 03:34
VLAI
Title
GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
Summary
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### IP field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
Severity
10 (Critical)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.geovision.com.tw/cyber_security.php | vendor-advisory |
| https://talosintelligence.com/vulnerability_repor… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GeoVision Inc. | GV-I/O Box 4E |
Affected:
V2.09
Unaffected: v2.12 |
Date Public
2026-06-17 03:10
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "GV-I/O Box 4E",
"vendor": "GeoVision Inc.",
"versions": [
{
"status": "affected",
"version": "V2.09"
},
{
"status": "unaffected",
"version": "v2.12"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Philippe Laulheret of Cisco Talos"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Kelly Patterson of Cisco Talos"
},
{
"lang": "en",
"type": "coordinator",
"value": "Robert Sherwin of Cisco Talos"
}
],
"datePublic": "2026-06-17T03:10:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\u003cbr\u003e\n\u003cbr\u003eUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\u003cbr\u003e\u003cbr\u003e#### IP field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\u003cbr\u003e\n\u003cbr\u003e v3 = strlen(g_network_config-\u0026gt;ip_addr);\n\u003cbr\u003e memcpy(\u0026amp;reply_buf[36], g_network_config-\u0026gt;ip_addr, v3);\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### IP field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n v3 = strlen(g_network_config-\u003eip_addr);\n\n memcpy(\u0026reply_buf[36], g_network_config-\u003eip_addr, v3);"
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T03:34:22.794Z",
"orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"shortName": "GV"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.geovision.com.tw/cyber_security.php"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-04-21T07:34:00.000Z",
"value": "Finder Reports Vulnerabilties to Vendor"
}
],
"title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
"assignerShortName": "GV",
"cveId": "CVE-2026-12485",
"datePublished": "2026-06-24T03:34:22.794Z",
"dateReserved": "2026-06-17T03:09:05.554Z",
"dateUpdated": "2026-06-24T03:34:22.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-12485",
"date": "2026-06-24",
"epss": "0.00436",
"percentile": "0.34795"
},
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"0df08a0e-a200-4957-9bb0-084f562506f9\", \"shortName\": \"GV\", \"dateUpdated\": \"2026-06-24T03:34:22.794Z\"}, \"title\": \"GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command\", \"datePublic\": \"2026-06-17T03:10:00.000Z\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121 Stack-based buffer overflow\", \"type\": \"CWE\"}]}], \"impacts\": [{\"capecId\": \"CAPEC-100\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-100 Overflow Buffers\"}]}], \"affected\": [{\"vendor\": \"GeoVision Inc.\", \"product\": \"GV-I/O Box 4E\", \"platforms\": [\"Linux\"], \"versions\": [{\"status\": \"affected\", \"version\": \"V2.09\"}, {\"status\": \"unaffected\", \"version\": \"v2.12\"}], \"defaultStatus\": \"unaffected\"}], \"cpeApplicability\": [{\"operator\": \"OR\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*\"}]}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\\n\\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \\n\\n\\n\\nUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\\n\\n\\n#### IP field stack overflow\\n\\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\\n\\n\\n\\n v3 = strlen(g_network_config-\u003eip_addr);\\n\\n memcpy(\u0026reply_buf[36], g_network_config-\u003eip_addr, v3);\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \\n\u003cbr\u003e\\n\u003cbr\u003eUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\\n\u003cbr\u003e\u003cbr\u003e#### IP field stack overflow\u003cbr\u003e\u003cbr\u003eThe following code is vulnerable to a stack overflow that is attacker-controlled:\\n\u003cbr\u003e\\n\u003cbr\u003e v3 = strlen(g_network_config-\u0026gt;ip_addr);\\n\u003cbr\u003e memcpy(\u0026amp;reply_buf[36], g_network_config-\u0026gt;ip_addr, v3);\u003cbr\u003e\u003c/div\u003e\"}]}], \"references\": [{\"url\": \"https://www.geovision.com.tw/cyber_security.php\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377\", \"tags\": [\"third-party-advisory\"]}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV3_1\": {\"version\": \"3.1\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"baseSeverity\": \"CRITICAL\", \"baseScore\": 10, \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"}}], \"timeline\": [{\"time\": \"2026-04-21T07:34:00.000Z\", \"lang\": \"en\", \"value\": \"Finder Reports Vulnerabilties to Vendor\"}], \"credits\": [{\"lang\": \"en\", \"value\": \"Philippe Laulheret of Cisco Talos\", \"type\": \"finder\"}, {\"lang\": \"en\", \"value\": \"Kelly Patterson of Cisco Talos\", \"type\": \"remediation reviewer\"}, {\"lang\": \"en\", \"value\": \"Robert Sherwin of Cisco Talos\", \"type\": \"coordinator\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-12485\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-24T12:55:48.854235Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-24T12:55:52.925Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-12485\", \"assignerOrgId\": \"0df08a0e-a200-4957-9bb0-084f562506f9\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GV\", \"dateReserved\": \"2026-06-17T03:09:05.554Z\", \"datePublished\": \"2026-06-24T03:34:22.794Z\", \"dateUpdated\": \"2026-06-24T12:56:06.131Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…