External risk intelligence

GeoVision GV-I/O Box 4E Command Injection in Network Configuration.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-12849

The vulnerability resides in a network-exposed service and a web CGI endpoint on a network-connected device. These components are designed to be reachable over the network to facilitate device configuration, making them likely to be exposed if the device is deployed in a manner that allows network management or remote administration.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

Multiple operating system command injection vulnerabilities have been discovered in the GeoVision GV-I/O Box 4E, affecting its network configuration capabilities. These issues allow an attacker to execute commands by sending a specially crafted network packet to the device, potentially compromising its operations.

  • An attacker can remotely run commands on the device.
  • This vulnerability could impact device control and data integrity.
  • Confirm relevance and assess exposure to GeoVision devices.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted network packet to the device. The vulnerable `libNetSetObj.so` library, which handles network configuration, does not properly sanitize input intended for network mask settings. This allows an attacker to inject and execute arbitrary operating system commands.

  • Network access is required.
  • Sending a crafted network packet triggers it.
  • Allows arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary commands on the device by sending specially crafted network packets to the `DVRSearch` service or the `Network.cgi` endpoint. This could occur when the device is accessible over a network and the vulnerable functionality is invoked.

  • Device network configuration data could be affected.
  • Commands can be injected via network packets.
  • Compromised device services and data integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in GeoVision GV-I/O Box 4E affects network configuration functionality, likely managed by infrastructure or platform teams. The first practical step is to identify all deployed devices, confirm their network reachability and business criticality, and then locate the accountable owner for remediation planning.

  • Infrastructure or Platform teams own this.
  • Verify device network reachability and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the GeoVision GV-I/O Box 4E?

The GeoVision GV-I/O Box 4E is a network-connected hardware device used for input and output management, often integrated into security or surveillance infrastructures. It relies on internal software libraries to manage network settings, such as IP addresses and subnet masks. The affected component, libNetSetObj.so, is a library that handles these core networking tasks, enabling the device to communicate and be managed across a network.

What does CVE-2026-12849 mean?

CVE-2026-12849 represents an OS command injection vulnerability, classified as CWE-78. This means the software fails to properly filter input before passing it to system-level commands. Because the device executes this unverified input directly, an attacker can manipulate the process to run unauthorized commands on the underlying operating system instead of just updating network settings.

How is this vulnerability triggered?

The issue is triggered when a specially crafted network packet is sent to specific device endpoints, such as the DVRSearch service or the Network.cgi interface. These services pass input to the vulnerable library to update network configurations. Note that simply having the device powered on is not enough; the bug is only activated when an external request specifically targets the input fields processed by the flawed library function.

Is my device at risk?

According to Halo Surface Signal, this vulnerability is likely to be reachable if your device is deployed with its management services accessible over a network. Devices that are directly connected to the internet or reachable via wide-area networks are at higher risk. You should assess whether your GV-I/O Box 4E configuration allows remote access to its DVRSearch or CGI management services.

What should I do if I use this device?

Begin by identifying all instances of the GeoVision GV-I/O Box 4E within your network environment. Once you have an inventory, confirm the network reachability of each device to determine which are exposed to external traffic. Coordinate with your infrastructure or platform teams to prioritize these devices and plan for updates or restricted network access while awaiting formal remediation guidance.

References