CVE-2026-12847: GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Gateway field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v7 = strlen(g_network_config->gateway); memcpy(&reply_buf[216], g_network_config->gateway, v7);
Metrics
- CVSS v3.1
- 10.0
- Severity
- CRITICAL
- Fixed in
- v2.12
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A stack-based buffer overflow affects the GeoVision GV-I/O Box 4E embedded device, specifically in the DVRSearch service that listens on UDP port 10001. The vulnerability is reachable over the network with no authentication required, as any host on the network can send crafted UDP packets to the service. Successful exploitation gives an attacker full remote code execution, with complete read, write, and availability impact on the device. A patched-image rebuild at v2.12 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-12847 is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from GV-I/O Box firmware layers.
AvailableHarborGuard scores this CVE at CVSS 10.0 (Critical) and applies per-environment compliance policy weighting to prioritize routing; affected image findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at v2.12 becomes available on HarborGuard once the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard initiates a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach UDP port 10001 on the device over the network; DVRSearch listens by default and accepts packets from any network host.
- AuthenticationNot required
No credentials or session token are needed; DVRSearch processes UDP messages from any sender without authentication.
- Victim interactionNot required
The vulnerable service processes incoming packets autonomously; no user on the device needs to take any action to trigger the overflow.
- Attack complexityDetail
Exploitation is reliable and condition-free: sending a single crafted UDP packet is sufficient to trigger the stack overflow with no race condition or memory-layout dependency required.
Blast Radius
- An attacker reads arbitrary memory from the device, including stored network credentials and configuration secrets.
- An attacker writes arbitrary data to the stack and gains control of the instruction pointer, enabling arbitrary code execution on the device.
- An attacker fully controls the device's 4 relay outputs and 4 inputs, allowing physical-world manipulation of whatever hardware is connected.
- An attacker crashes or locks the DVRSearch service or the entire device, disrupting network-based monitoring and control functions.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-12847 is matched against scanned images immediately upon advisory ingestion. Because this is a Critical-severity issue (CVSS 10.0), environments with auto-remediation enabled are eligible for a rebuild at v2.12, an automated regression run, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for those environments. Where compliance policy requires manual approval, HarborGuard surfaces the finding with full CVSS detail and fix-version information to the configured team inbox. Customers whose policy does not yet permit auto-remediation should prioritize network-level controls in the interim: restrict access to UDP port 10001 via firewall or network policy so that only authorized management hosts can reach DVRSearch, reducing exposure until the v2.12 rebuild is deployed.
Fix available
- GeoVision Inc. / GV-I/O Box 4EV2.09Fixed in v2.12
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H