HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12849Published Modified CNA GV

CVE-2026-12849: GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Net_Mask command injection The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr) { bool v2; // zf char v4[72]; // [sp+0h] [bp-48h] BYREF v2 = *this == 0; if ( *this ) v2 = netmask_addr == 0; if ( v2 ) return 0; sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr system(v4); return 1; }

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
V2.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in the libNetSetObj.so library on GeoVision GV-I/O Box 4E firmware version 2.09. The flaw is reachable over the network by an authenticated attacker with administrator-level credentials, who can send a specially crafted network packet containing a malicious netmask value that is passed unsanitized to a system() call. Successful exploitation gives the attacker arbitrary OS command execution on the device. A patched-image rebuild at firmware version V2.12 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12849 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer container images and pipeline artifacts, including custom-built images derived from GeoVision firmware bases.

Available
Triage

HarborGuard scores this CVE at 9.1 CRITICAL (CVSS v3.1) and weights findings against each customer environment's compliance policy to determine urgency and routing. Triage notifications are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at firmware version V2.12 becomes available on HarborGuard for any environment where an affected V2.09-based image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service endpoints (DVRSearch and Network.cgi) are exposed over the network, so the attacker must be able to send network packets to the device to reach the injection point.

  • AuthenticationRequired

    The vulnerable endpoints require admin-level credentials, so the attacker must possess or compromise a privileged account on the device before triggering the injection.

  • Victim interactionNot required

    No user or victim action is needed; the attacker sends a crafted network packet directly to the service without any human interaction on the target side.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental prerequisites beyond reachability and credentials.

Blast Radius

  • The attacker executes arbitrary OS commands as the process owner of the affected service, gaining a foothold with the privileges of that system process.
  • Full confidentiality impact: the attacker reads any file, credential, or configuration accessible on the device filesystem.
  • Full integrity impact: the attacker modifies persisted configuration, replaces binaries, or plants backdoors on the device.
  • Full availability impact: the attacker halts running services, corrupts the network stack configuration, or renders the device unresponsive.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12849 is active for all customer environments the moment the advisory enters the ingestion pipeline, with no manual configuration required. Images based on GeoVision GV-I/O Box 4E firmware V2.09 are flagged at CRITICAL priority. A rebuild at the fixed version V2.12 becomes available immediately upon detection. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, executes a regression test run against the patched image, and opens a pull request against the affected workload; for high and critical severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the remediation queue for engineer review.

See how HarborGuard automates this

Fix available

V2.12
Affected packages
  • GeoVision Inc. / GV-I/O Box 4E
    V2.09
    Fixed in V2.12
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References