HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12850Published Modified CNA GV

CVE-2026-12850: GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_Gate_way command injection The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev) { char s[324]; // [sp+4h] [bp-144h] BYREF if ( !dev && !*this || !gw ) return 0; system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0"); system("/sbin/route del default "); if ( dev ) sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string else sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string system(s); sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string system(s); return 1; }

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
V2.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection in the libNetSetObj.so library of the GeoVision GV-I/O Box 4E (firmware V2.09) allows a remote attacker to inject arbitrary shell commands via a crafted gateway address string passed to the CNetSetObj::m_F_n_Set_Gate_way function, which calls system() without any input sanitization. The vulnerability is reachable over the network through the DVRSearch service and the Network.cgi endpoint, and requires an admin-level account to trigger. Successful exploitation gives the attacker full command execution on the device, enabling complete confidentiality, integrity, and availability compromise. A patched-image rebuild at firmware V2.12 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12850 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle GV-I/O Box 4E firmware layers, in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 (Critical) and weighting it against each customer organization's compliance policy to determine urgency and routing, surfacing the alert to the appropriate team inbox without requiring manual triage.

Available
Patch

A patched-image rebuild pinned to firmware V2.12 becomes available on HarborGuard for any environment found running the affected V2.09 image. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device over the network; the vulnerability is exposed via the network-facing DVRSearch service and the Network.cgi HTTP endpoint.

  • AuthenticationRequired

    An admin or privileged account credential is required to send the crafted network request that reaches the vulnerable gateway-configuration function.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a crafted network packet directly to the exposed service endpoint.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental pre-conditions beyond reaching the service with valid admin credentials.

Blast Radius

  • A successful attacker executes arbitrary OS commands as the process user on the GV-I/O Box 4E device.
  • The attacker reads stored credentials, configuration secrets, and any data accessible on the device filesystem.
  • The attacker modifies device configuration, network routing tables, or persisted firmware settings.
  • The attacker crashes or permanently disables the device, taking connected I/O monitoring and physical-security integrations offline.

How HarborGuard Handles This

Available on HarborGuard: detection of this Critical-severity OS command injection is matched against customer images within minutes of CVE publication. Where a customer's scanned images include GV-I/O Box 4E firmware at V2.09, HarborGuard flags the finding and scores it at CVSS 9.1, routing it according to each organization's configured compliance policy. A rebuilt image at V2.12 is available for affected environments; for customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads. Median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Organizations that cannot immediately apply the firmware update should consider isolating the device behind a network policy that restricts access to the DVRSearch service port and the Network.cgi endpoint to trusted management hosts only.

See how HarborGuard automates this

Fix available

V2.12
Affected packages
  • GeoVision Inc. / GV-I/O Box 4E
    V2.09
    Fixed in V2.12
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References