External risk intelligence

GeoVision GV-I/O Box 4E Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-12486

The vulnerability resides in a GeoVision network-connected device. The vulnerable functions are reachable via network-exposed services, specifically a DVR management service and a CGI endpoint, which are commonly configured for remote access in deployment scenarios for these types of surveillance appliances.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns multiple command injection vulnerabilities within the GeoVision GV-I/O Box 4E 2.09's network configuration library. An attacker could send a specially crafted network packet to execute commands on the device, potentially impacting its operation and security. The main concern is confirming relevance and exposure given the technology involved.

  • Flaw allows remote command execution.
  • Affects network devices controlling critical infrastructure.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could send a malicious network request to a GeoVision device, targeting its network configuration functions. By exploiting a flaw in how the device processes IP address inputs, an attacker can inject operating system commands, potentially leading to broader system compromise. This vulnerability is present in the libNetSetObj.so library used for managing network settings.

  • Requires administrative privileges.
  • Triggered by sending a crafted network packet.
  • Risk of unauthorized command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary commands on the affected device by sending a specially crafted network packet. The `libNetSetObj.so` library, responsible for network configuration, is vulnerable to command injection when handling IP address settings through network-exposed services.

  • Network configuration data could be altered.
  • Commands may execute through network requests.
  • Device network functions could be disrupted.

Operational Fix

Recommended remediation, mitigation, and detection steps

Platform and infrastructure teams managing the GeoVision GV-I/O Box 4E devices are likely responsible for addressing these OS command injection vulnerabilities. The initial step involves identifying all deployed instances of the affected technology, confirming their network reachability, and assessing their business criticality to prioritize remediation efforts. After identifying accountable owners, a risk-based remediation plan should be developed, which may include coordinating with the vendor or implementing temporary mitigations.

  • Identify affected devices and owners.
  • Verify network exposure and criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the GeoVision GV-I/O Box 4E?

The GeoVision GV-I/O Box 4E is a hardware device designed for surveillance and industrial environments. It manages input and output signals, allowing users to integrate various sensors, alarms, or control mechanisms into their security infrastructure. The device uses an internal library called libNetSetObj.so to handle essential networking tasks like IP configuration and service management.

How does CVE-2026-12486 work?

This vulnerability is classified as OS command injection (CWE-78). It occurs because the device's software takes network input—such as an IP address—and passes it directly to a system command function without cleaning or validating the data. If an attacker provides specially crafted input, they can manipulate the system into running unauthorized operating system commands instead of just processing the network configuration.

Do I need to do anything specific to trigger this bug?

Triggering this flaw requires sending a specially crafted network packet to the device. These packets target specific network-exposed services, such as the DVRSearch service or the Network.cgi endpoint, which communicate with the vulnerable library. The vulnerability is specifically linked to how these services process configuration data; simply interacting with the device for standard monitoring tasks does not trigger the issue.

Is my device at risk if it is not on the internet?

Halo Surface Signal indicates this vulnerability is most relevant for devices with network-exposed services. While internal devices face less risk from external attackers, anyone with access to the local network could theoretically reach the vulnerable DVR management service or CGI endpoint. You should evaluate your device's placement to see if it is reachable via the public internet or unprotected internal segments.

What should I do to protect my systems?

Start by identifying all instances of the GeoVision GV-I/O Box 4E currently in your environment. Confirm which devices have network-accessible management interfaces and prioritize them based on their importance to your operations. Once you have a clear inventory, work with your infrastructure team to develop a remediation plan, which may involve restricting network access to these management ports or coordinating with the vendor for updates.

References