Overview
CVE-2026-12486 is a critical OS command injection vulnerability affecting the GeoVision GV-I/O Box 4E, an industrial embedded IoT device widely deployed in physical security and building automation systems. The vulnerability exists in the libNetSetObj.so shared library and receives a CVSS v3.1 score of 9.1 CRITICAL, allowing attackers with network access to execute arbitrary OS commands on the underlying Linux system.
Cisco Talos disclosed this alongside two companion stack overflow vulnerabilities (CVE-2026-12485 and CVE-2026-12846), all affecting firmware version 2.09 and all patched in version 2.12.
Technical Details
The vulnerability originates in libNetSetObj.so, the shared library responsible for network configuration operations on the device. The function CNetSetObj::m_F_n_Set_IP_Addr accepts a user-supplied IP address string and passes it directly to a system() call without any sanitization or validation:
// Vulnerable code pattern in CNetSetObj::m_F_n_Set_IP_Addr
system(ip_addr_string); // ip_addr_string is user-controlledAn attacker can inject shell metacharacters (e.g., ;, &&, |) into the IP address field, causing the device to execute attacker-specified commands. The vulnerable code path is reachable through two attack surfaces:
- DVRSearch — the default UDP discovery service on port 10001
- Network.cgi — the network configuration CGI endpoint exposed via the device's web interface
| Property | Value |
|---|---|
| CVE | CVE-2026-12486 |
| CVSS v3.1 | 9.1 CRITICAL |
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-78 (OS Command Injection) |
| Affected Version | GV-I/O Box 4E v2.09 |
| Fixed Version | GV-I/O Box 4E v2.12 |
| Library | libNetSetObj.so |
Affected Products
- Vendor: GeoVision Inc.
- Product: GV-I/O Box 4E
- Platform: Linux (embedded)
- Vulnerable firmware: V2.09
- Patched firmware: V2.12
Impact
Exploitation requires high privileges (PR:H), meaning an attacker needs administrative credentials to reach the Network.cgi endpoint. However, the Scope change (S:C) indicates that a successful exploit can impact systems beyond the device boundary.
A successful attack enables:
- Arbitrary OS command execution as the web or service process user
- Persistent backdoor installation on the embedded Linux system
- Lateral movement into adjacent network segments
- Modification of relay outputs and sensor inputs, affecting physical infrastructure
Note: Combined with CVE-2026-12485 or CVE-2026-12846 (which require no authentication), an attacker could chain vulnerabilities to gain initial access and then leverage this injection for deeper system compromise.
Remediation
- Upgrade firmware to version V2.12 or later — available from the GeoVision security page.
- Enforce strong admin credentials on all GV-I/O Box 4E devices; rotate default passwords immediately.
- Restrict access to the device web interface (Network.cgi) — place management interfaces behind a VPN or management VLAN.
- Block UDP port 10001 from untrusted networks to reduce attack surface for companion CVEs.
- Audit IoT inventory — identify all GV-I/O Box 4E units in your environment and apply updates before internet-exposure is possible.