HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12486Published Modified CNA GV

CVE-2026-12486: GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_IP_Addr command injection The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = ip_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address system(v4); return 1; }

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
V2.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in the libNetSetObj.so shared library on the GeoVision GV-I/O Box 4E (firmware V2.09). The flaw is reachable over the network by an authenticated attacker with admin-level credentials, who can send a crafted network request to the DVRSearch service or the Network.cgi endpoint to inject arbitrary OS commands. Successful exploitation gives the attacker full command execution on the device, enabling complete confidentiality, integrity, and availability compromise. A patched-image rebuild at V2.12 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-12486 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from GeoVision firmware layers.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 (Critical) and weighting it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at V2.12 is available on HarborGuard for any environment running the affected V2.09 firmware image. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device over the network; both the DVRSearch service and the Network.cgi endpoint are the exposed attack surface.

  • AuthenticationRequired

    An admin-privileged account is needed to reach the vulnerable network configuration endpoints that invoke libNetSetObj.so.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a crafted network request directly to the target service.

  • Attack complexityDetail

    Attack complexity is low; the injection is a straightforward unsanitized string passed to system(), requiring no race conditions or special environmental conditions.

Blast Radius

  • The attacker executes arbitrary OS commands as the process user of the DVRSearch or Network.cgi service, gaining a foothold on the device.
  • All data stored on or accessible to the device, including credentials and configuration secrets, is readable by the attacker.
  • The attacker can modify network stack configuration, overwrite files, or install persistent backdoors on the device.
  • The attacker can crash or disable device services, taking the I/O box offline and disrupting any physical access control or monitoring systems it supports.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12486 is active across ingestion pipelines the moment the CVE is published, with matching against any image derived from GeoVision GV-I/O Box 4E V2.09 firmware. For environments where this firmware is containerized or packaged as a scannable image, a patched rebuild at V2.12 is available. Where compliance policy permits auto-remediation, HarborGuard can rebuild the image at the fix version, execute a regression run, and open a pull request against affected workloads; for Critical-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is queued in the triage inbox with full CVSS detail and remediation guidance. Until the patched image is deployed, compensating controls include restricting network access to the DVRSearch port and Network.cgi endpoint via network policy, and auditing admin credential exposure on affected devices.

See how HarborGuard automates this

Fix available

V2.12
Affected packages
  • GeoVision Inc. / GV-I/O Box 4E
    V2.09
    Fixed in V2.12
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References