External risk intelligence

GeoVision GV-I/O Box OS Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-12850

The vulnerability affects an IoT device (GeoVision GV-I/O Box) and is reachable through network-exposed endpoints, including a CGI interface and a service designed for network communication. Such devices are frequently deployed with management interfaces accessible over the network, and the vulnerability is directly reachable via network requests.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in GeoVision GV-I/O Box 4E devices, specifically within the `libNetSetObj.so` library. This issue allows for command injection, meaning an attacker could potentially execute arbitrary commands on the affected devices by sending a specially crafted network packet. The affected library manages network configuration, making this a significant concern for devices exposed to networks.

  • Network commands can be injected.
  • Affects network configuration and device control.
  • Confirm relevance and device exposure to network threats.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted network packet to the device. This packet targets a network configuration function within the `libNetSetObj.so` library, which processes network gateway information without proper validation. This lack of sanitization allows an attacker to inject and execute arbitrary operating system commands, potentially leading to broader system compromise.

  • Network access required.
  • Unsanitized input triggers command execution.
  • Risk of arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary commands on the affected device by sending a specially crafted network packet. This could impact the device's network configuration and potentially its overall operational integrity when supported by the advisory.

  • System network configuration data at risk.
  • Exposure through crafted network requests.
  • Potential for unauthorized system changes.

Operational Fix

Recommended remediation, mitigation, and detection steps

The GeoVision GV-I/O Box 4E's network configuration library, `libNetSetObj.so`, contains critical OS command injection flaws. These vulnerabilities are reachable via network requests to the `DVRSearch` service and the `Network.cgi` endpoint, allowing an unauthenticated attacker to execute arbitrary commands on the device. System owners must first identify all deployed GV-I/O Box 4E devices, assess their network exposure and business criticality, and then coordinate with the vendor for remediation planning.

  • Identify affected devices and owners.
  • Verify network exposure and business impact.
  • Plan remediation with vendor support.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the GeoVision GV-I/O Box 4E?

The GeoVision GV-I/O Box 4E is an IoT device designed to bridge input and output signals for security systems. It relies on an internal library called libNetSetObj.so to handle essential network operations, such as configuring IP addresses, DNS settings, and routing tables, which are vital for the device to communicate with other hardware.

What does OS command injection mean for CVE-2026-12850?

This vulnerability, classified as CWE-78 (OS Command Injection), occurs when a program passes untrusted data—in this case, network gateway information—directly to a system shell without cleaning it first. Because the library fails to sanitize this input, an attacker can append their own malicious commands to the configuration request, forcing the device to run unauthorized instructions at the operating system level.

How can an attacker trigger this vulnerability?

An attacker triggers this bug by sending a specially crafted network packet to the device. These packets target specific network interfaces, such as the DVRSearch service or the Network.cgi endpoint. The vulnerability is triggered specifically when these endpoints process the gateway address parameter; simply having the device powered on or connected to a network is not enough without the targeted, malicious request.

Why does Halo Surface Signal categorize this as external?

Halo Surface Signal identifies this as an external threat because the vulnerable endpoints are network-exposed, meaning they are designed to receive and process traffic from the network. Since these services are reachable via standard network requests rather than requiring physical access or local console commands, any device with these ports accessible on a network faces an increased risk.

What should I do if I manage these devices?

First, locate and list all deployed GV-I/O Box 4E units in your environment. Evaluate whether these devices must remain accessible via your network. Once you have an inventory, monitor official communications from GeoVision for firmware updates or specific security patches, and work with your internal teams to plan for the application of those fixes.

References