Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-12486: GeoVision GV-I/O Box 4E OS Command Injection via libNetSetObj.so
CVE-2026-12486: GeoVision GV-I/O Box 4E OS Command Injection via libNetSetObj.so

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-12486

CVE-2026-12486: GeoVision GV-I/O Box 4E OS Command Injection via libNetSetObj.so

Multiple OS command injection vulnerabilities in GeoVision GV-I/O Box 4E firmware 2.09 allow attackers with network access to execute arbitrary system...

Dylan H.

Security Team

June 24, 2026
3 min read

Affected Products

  • GeoVision GV-I/O Box 4E v2.09

Overview

CVE-2026-12486 is a critical OS command injection vulnerability affecting the GeoVision GV-I/O Box 4E, an industrial embedded IoT device widely deployed in physical security and building automation systems. The vulnerability exists in the libNetSetObj.so shared library and receives a CVSS v3.1 score of 9.1 CRITICAL, allowing attackers with network access to execute arbitrary OS commands on the underlying Linux system.

Cisco Talos disclosed this alongside two companion stack overflow vulnerabilities (CVE-2026-12485 and CVE-2026-12846), all affecting firmware version 2.09 and all patched in version 2.12.

Technical Details

The vulnerability originates in libNetSetObj.so, the shared library responsible for network configuration operations on the device. The function CNetSetObj::m_F_n_Set_IP_Addr accepts a user-supplied IP address string and passes it directly to a system() call without any sanitization or validation:

// Vulnerable code pattern in CNetSetObj::m_F_n_Set_IP_Addr
system(ip_addr_string);  // ip_addr_string is user-controlled

An attacker can inject shell metacharacters (e.g., ;, &&, |) into the IP address field, causing the device to execute attacker-specified commands. The vulnerable code path is reachable through two attack surfaces:

  • DVRSearch — the default UDP discovery service on port 10001
  • Network.cgi — the network configuration CGI endpoint exposed via the device's web interface
PropertyValue
CVECVE-2026-12486
CVSS v3.19.1 CRITICAL
VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWECWE-78 (OS Command Injection)
Affected VersionGV-I/O Box 4E v2.09
Fixed VersionGV-I/O Box 4E v2.12
LibrarylibNetSetObj.so

Affected Products

  • Vendor: GeoVision Inc.
  • Product: GV-I/O Box 4E
  • Platform: Linux (embedded)
  • Vulnerable firmware: V2.09
  • Patched firmware: V2.12

Impact

Exploitation requires high privileges (PR:H), meaning an attacker needs administrative credentials to reach the Network.cgi endpoint. However, the Scope change (S:C) indicates that a successful exploit can impact systems beyond the device boundary.

A successful attack enables:

  • Arbitrary OS command execution as the web or service process user
  • Persistent backdoor installation on the embedded Linux system
  • Lateral movement into adjacent network segments
  • Modification of relay outputs and sensor inputs, affecting physical infrastructure

Note: Combined with CVE-2026-12485 or CVE-2026-12846 (which require no authentication), an attacker could chain vulnerabilities to gain initial access and then leverage this injection for deeper system compromise.

Remediation

  1. Upgrade firmware to version V2.12 or later — available from the GeoVision security page.
  2. Enforce strong admin credentials on all GV-I/O Box 4E devices; rotate default passwords immediately.
  3. Restrict access to the device web interface (Network.cgi) — place management interfaces behind a VPN or management VLAN.
  4. Block UDP port 10001 from untrusted networks to reduce attack surface for companion CVEs.
  5. Audit IoT inventory — identify all GV-I/O Box 4E units in your environment and apply updates before internet-exposure is possible.

References

  • Cisco Talos Advisory TALOS-2026-2379
  • GeoVision Cyber Security Page
  • NVD Entry — CVE-2026-12486
  • CVE-2026-12485 (companion stack overflow)
  • CVE-2026-12846 (companion stack overflow)
#CVE#GeoVision#IoT#Command Injection#RCE#Embedded Device#CWE-78

Related Articles

CVE-2026-12485: GeoVision GV-I/O Box 4E UDP Stack Overflow (IP Address Field)

A critical CVSS 10.0 stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated remote attackers to achieve...

3 min read

CVE-2026-12846: GeoVision GV-I/O Box 4E UDP Stack Overflow (Net Mask Field)

A second critical CVSS 10.0 stack-based buffer overflow in GeoVision GV-I/O Box 4E firmware 2.09 — this time in the Net Mask field handling of the...

3 min read

CVE-2026-7037: Unauthenticated OS Command Injection in Totolink A8000RU

A critical CVSS 9.8 OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary...

5 min read
Back to all Security Alerts