HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12851Published Modified CNA GV

CVE-2026-12851: GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability. `libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.) #### CNetSetObj::m_F_n_Set_DNS_Addr command injection The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint. int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2) { int result; // r0 char v5[80]; // [sp+0h] [bp-50h] BYREF if ( !dns1 ) result = 0; if ( dns1 ) { sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field system(v5); if ( dns2 ) { sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2); system(v5); } return 1; } return result;

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
V2.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in the libNetSetObj.so library used by GeoVision GV-I/O Box 4E firmware version 2.09. The flaw is reachable over the network by an authenticated attacker with administrator privileges, via either the DVRSearch service or the Network.cgi endpoint, and stems from unsanitized user input passed directly to a system() call. Successful exploitation gives the attacker full command execution on the device, with the ability to read, modify, or destroy all data and crash or hijack device operation. A patched-image rebuild at version V2.12 is available on HarborGuard for environments running the affected firmware version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle GeoVision firmware components.

Available
Triage

HarborGuard scores this finding at CVSS 9.1 (Critical, v3.1) and is capable of weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild at GV-I/O Box 4E version V2.12 is available on HarborGuard for environments running the affected 2.09 version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device over the network, as the vulnerable code paths are exposed through the DVRSearch service and the Network.cgi endpoint.

  • AuthenticationRequired

    An admin-level account is required to reach the affected network configuration endpoints that invoke the vulnerable DNS-setting function.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends a crafted network request directly to the vulnerable service.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or memory layout knowledge.

Blast Radius

  • The attacker executes arbitrary OS commands on the device with the privileges of the process hosting DVRSearch or Network.cgi, giving full control over the operating environment.
  • All data stored on or accessible through the device is readable, including credentials, configuration files, and any connected sensor or I/O state.
  • The attacker can modify device configuration, overwrite firmware state, or pivot to other network-adjacent systems reachable from the device.
  • The affected service and the device itself can be crashed or rendered permanently unavailable by malicious commands passed through the injection point.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12851 is active against any image in a customer registry or pipeline that bundles GeoVision GV-I/O Box 4E firmware at version 2.09. A patched-image rebuild targeting version V2.12 is available; for customers who have auto-remediation enabled, HarborGuard can trigger the rebuild, execute a regression test run, and open a pull request against the affected workload automatically. Given the Critical severity rating and network-exposed, no-interaction-required exploit path, prompt action is warranted; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with full CVSS context and upgrade guidance so engineering teams can prioritize the manual upgrade to V2.12. As an interim compensating control, customers can apply network policy rules to restrict access to the DVRSearch port and the Network.cgi endpoint to trusted management hosts only, reducing the exposure window until the patched image is deployed.

See how HarborGuard automates this

Fix available

V2.12
Affected packages
  • GeoVision Inc. / GV-I/O Box 4E
    V2.09
    Fixed in V2.12
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References