HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12485Published Modified CNA GV

CVE-2026-12485: GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### IP field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v3 = strlen(g_network_config->ip_addr); memcpy(&reply_buf[36], g_network_config->ip_addr, v3);

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
v2.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the GeoVision GV-I/O Box 4E firmware, specifically in the DVRSearch service that listens for UDP messages on port 10001. The service is reachable by any host on the network with no authentication required, and exploitation requires no user interaction. Successful exploitation gives an attacker full control over the device, including reading sensitive data, modifying configuration, and crashing or taking over the service. A patched-image rebuild at v2.12 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle GV-I/O Box firmware or related components. Any image found running the affected v2.09 firmware is flagged immediately in the pipeline.

Available
Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at v2.12 becomes available on HarborGuard once the upstream fix version is confirmed, which it is in this case. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device over the network; DVRSearch listens on UDP port 10001 and is exposed to any host on the local or routed network without further access control.

  • AuthenticationNot required

    No credentials or session token are needed; the DVRSearch service accepts and processes UDP messages from any sender.

  • Victim interactionNot required

    The exploit is fully automated and requires no action from a user or administrator on the target device.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply sends a crafted UDP packet and the overflow occurs deterministically on any unpatched device.

Blast Radius

  • An attacker reads sensitive data stored on or accessible to the device, such as network configuration and credentials held in memory.
  • An attacker writes arbitrary values into the stack and gains control of the instruction pointer, enabling remote code execution on the embedded firmware.
  • An attacker modifies device configuration, including IP settings and relay output states, disrupting physical or logical systems the device controls.
  • An attacker crashes the DVRSearch service or the entire device, denying legitimate access and potentially disrupting connected physical hardware.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all customer images, with findings surfaced within minutes of the CVE entering the upstream feed. Given the CVSS 10.0 score and the absence of any authentication barrier, this CVE is prioritized at the top of the remediation queue. A rebuilt image at v2.12 is available for environments running the affected v2.09 firmware. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding routes to the designated team inbox with full artifact context for manual review. Until the patched image is deployed, consider applying network-policy controls to restrict inbound UDP traffic on port 10001 to trusted source addresses only.

See how HarborGuard automates this

Fix available

v2.12
Affected packages
  • GeoVision Inc. / GV-I/O Box 4E
    V2.09
    Fixed in v2.12
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References