External risk intelligence

GeoVision GV-I/O Box 4E Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-12851

The vulnerability exists in an I/O device's network configuration functionality, which is reachable via a network-exposed service (DVRSearch) and a web-based CGI endpoint. These types of management services and device interfaces are commonly deployed with public-facing access in real-world environments.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in GeoVision's I/O Box 4E devices, specifically within the network configuration library. This flaw allows an unauthenticated attacker to execute arbitrary commands on the device by sending a specially crafted network request, potentially leading to a compromise of the device and its connected systems.

  • Unauthorized commands can run on the device.
  • Critical flaw impacts network configuration functions.
  • Confirm exposure and assess operational risk.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted network requests targeting the device's network configuration functionality. These requests aim to inject malicious commands, ultimately allowing the attacker to execute arbitrary code on the system.

  • Requires network access.
  • Triggered by crafted network packets.
  • Allows arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

The `libNetSetObj.so` library's network configuration functionality could be exploited when processing specially crafted network packets. This could allow an unauthenticated attacker to execute arbitrary commands on the device, potentially affecting its network settings and overall behavior when supported by the advisory.

  • Device network configuration data.
  • Specially crafted network packets sent remotely.
  • Unauthorized command execution on the device.

Operational Fix

Recommended remediation, mitigation, and detection steps

The GeoVision GV-I/O Box 4E, specifically its `libNetSetObj.so` component, contains OS command injection vulnerabilities exploitable via network requests. Given that this functionality is used for network configuration and is exposed through services like `DVRSearch` and `Network.cgi`, platform or infrastructure teams managing these devices are likely responsible for assessment. The immediate first step should be to identify all instances of the affected device, determine their network exposure and business criticality, and then locate the accountable owner to plan a coordinated remediation.

  • Identify affected device instances.
  • Verify network exposure and criticality.
  • Plan remediation with accountable owner.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the GeoVision GV-I/O Box 4E?

The GeoVision GV-I/O Box 4E is a hardware device used to connect and manage inputs and outputs for surveillance or security systems. It utilizes an internal software library called libNetSetObj.so, which handles low-level tasks such as configuring the device's network settings, including IP addresses, gateways, and DNS servers.

What is the vulnerability in CVE-2026-12851?

This CVE involves OS command injection, classified as CWE-78. In simple terms, the device's software fails to filter or clean the data it receives for network settings. Because it blindly trusts this input, an attacker can insert their own system commands, which the device then runs as if they were legitimate instructions from an administrator.

How does an attacker trigger this command injection?

An attacker triggers the bug by sending a specially crafted network packet to the device. These packets are designed to reach the vulnerable DNS configuration function. It is important to note that sending standard, legitimate network traffic or using basic management functions in a normal, expected way does not trigger this vulnerability.

Is my device at risk if it is on the internal network?

According to Halo Surface Signal, this vulnerability is considered highly relevant because the affected services, like the DVRSearch service and the Network.cgi endpoint, are frequently configured with public-facing access. Even if your device is currently on an internal network, you should evaluate if these management interfaces are reachable by untrusted parties.

What should I do first to address this threat?

The first step is to locate all deployed GeoVision GV-I/O Box 4E devices in your environment to understand your inventory. Once identified, determine which units are accessible over the network and evaluate their business criticality. Coordinate with the teams or individuals responsible for these specific devices to plan and prioritize a remediation path.

References