Overview
A critical stack-based buffer overflow vulnerability (CVE-2026-12485) has been identified in the GeoVision GV-I/O Box 4E embedded IoT device, firmware version 2.09. The flaw carries a CVSS v3.1 score of 10.0 CRITICAL and enables unauthenticated remote attackers to execute arbitrary code by sending a malicious UDP packet to the device's DVRSearch service.
The GV-I/O Box 4E is an industrial IoT device providing 4 digital inputs and 4 relay outputs for remote control over Ethernet and RS-485, commonly deployed in physical security, building automation, and industrial control environments.
Technical Details
The vulnerability resides in the DVRSearch service, which runs by default on UDP port 10001 and accepts messages from any network-accessible host without requiring authentication.
The vulnerable code path reads network configuration data — specifically the device's stored IP address — and copies it into a fixed-size reply buffer without bounds checking:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3);The function reads up to 1460 bytes into a local buffer from the network, but the destination buffer at offset 36 within the reply is not sized to accommodate that maximum. If the stored IP address field is overlong (e.g., through a prior misconfiguration or a companion injection vulnerability), the memcpy overflows the stack, enabling control-flow hijacking.
| Property | Value |
|---|---|
| CVE | CVE-2026-12485 |
| CVSS v3.1 | 10.0 CRITICAL |
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-121 (Stack-based Buffer Overflow) |
| Affected Version | GV-I/O Box 4E v2.09 |
| Fixed Version | GV-I/O Box 4E v2.12 |
| Protocol | UDP port 10001 |
Affected Products
- Vendor: GeoVision Inc.
- Product: GV-I/O Box 4E
- Platform: Linux (embedded)
- Vulnerable firmware: V2.09
- Patched firmware: V2.12
Impact
Successful exploitation allows an unauthenticated, network-adjacent or remote attacker to:
- Execute arbitrary code with the privileges of the DVRSearch process
- Achieve full device compromise — modify relay states, disable inputs/outputs, or pivot to internal networks
- Trigger a denial of service by crashing the service
Given the Scope change (S:C) in the CVSS vector, a compromise could impact connected systems beyond the device itself.
Remediation
- Update firmware to version V2.12 or later from the GeoVision security advisory page.
- Restrict network access to UDP port 10001 — apply firewall rules or ACLs so only trusted management hosts can reach the DVRSearch service.
- Segment IoT devices onto dedicated VLANs with no direct internet exposure.
- Inventory GV-I/O Box 4E devices in your environment and prioritize patching for any directly internet-accessible units.