CVE-2026-42364: GeoVision IP Camera OS Command Injection (CVSS 9.9)

Executive Summary

A critical OS command injection vulnerability has been disclosed in GeoVision LPC2011 and LPC2211 license plate capture cameras running firmware version 1.10. Tracked as CVE-2026-42364, the flaw exists in the DdnsSetting.cgi endpoint and allows an attacker who can interact with the camera's web interface to inject arbitrary OS commands by supplying a malicious DDNS configuration value.

CVSS Score: 9.9 (Critical)

GeoVision cameras are widely deployed in parking systems, access control, traffic monitoring, and smart city infrastructure — making exploitation of this class of device a high-impact threat for both corporate and government environments.

Vulnerability Overview

Root Cause

The DdnsSetting.cgi CGI script on affected GeoVision cameras processes user-supplied DDNS (Dynamic DNS) configuration values without adequate input sanitization. Configuration parameters passed to the script are directly incorporated into OS-level command strings, creating a classic OS command injection sink.

An attacker with access to the camera's management interface — which in many deployments is exposed on the LAN or, in misconfigured environments, directly to the internet — can inject shell metacharacters into a DDNS configuration field to execute arbitrary commands with the privileges of the web server process, typically root on embedded Linux-based devices.

Attack Chain

1. Attacker reaches the camera's web management interface (LAN or exposed WAN)
2. Authenticates (or exploits unauthenticated access if session management is weak)
3. Sends a crafted POST request to /DdnsSetting.cgi with injected shell payload
4. Embedded Linux OS executes the injected command as root
5. Attacker achieves persistent access, pivot to internal network, or data exfiltration

CWE

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ("OS Command Injection")

Technical Details

Affected Products and Versions

Vulnerable Endpoint

POST /DdnsSetting.cgi HTTP/1.1
Host: <camera-ip>
Content-Type: application/x-www-form-urlencoded

DdnsType=0&DdnsUser=admin&DdnsPass=password&DdnsHost=<INJECTED_PAYLOAD>

The DdnsHost parameter (and potentially other fields) are concatenated into a shell command without sanitization. A payload such as:

legithost.example.com; id; whoami

executes id and whoami on the device. More destructive payloads can establish reverse shells or drop persistent implants.

Impact

On GeoVision cameras, the web server process typically runs as root. Successful exploitation provides:

• Full root shell on the device
• Access to the camera video stream and stored footage
• Use of the device as a network pivot point
• Ability to join the camera into a botnet (Mirai variants actively target IP cameras)
• Lateral movement into adjacent LAN segments

Identifying Exposed Devices

Shodan / Internet Exposure

GeoVision camera management interfaces are indexed by Shodan and other internet scanners. A basic query to identify internet-facing GeoVision devices:

http.title:"GeoVision" port:80,8080

Organizations should verify that no GeoVision cameras are reachable from the internet on their management ports.

Internal Discovery

# Scan your network for GeoVision devices
nmap -sV --open -p 80,8080,443 192.168.0.0/24 | grep -i "geovision"
 
# Check HTTP banners for GeoVision fingerprints
curl -s http://<camera-ip>/ | grep -i "geovision\|lpc2011\|lpc2211"

Firmware Version Check

GET /getinfo.cgi HTTP/1.1
Host: <camera-ip>

Devices responding with firmware 1.10 should be treated as vulnerable until patched or mitigated.

Remediation

Immediate Actions

1. Network isolation: Remove all GeoVision LPC2011/LPC2211 cameras from internet-facing segments immediately.
2. Firewall rules: Restrict access to the camera's management port (TCP 80/443/8080) to authorized management hosts only.
3. Patch when available: Monitor GeoVision's security portal for firmware updates. Apply the patch as soon as it is released.
4. Credential rotation: Change all camera management passwords from defaults.

Network Segmentation

[Internet] --X--> [Camera VLAN]
[Internal LAN] --firewall rule--> [Camera VLAN :80/:8080]
[Management host only] --allow--> [Camera VLAN :80/:8080]

Cameras should never have their management interfaces exposed to untrusted networks.

Compensating Controls (Until Patch)

Detection

Network-Level Indicators

Monitor camera management interfaces for:

• Unusual POST requests to /DdnsSetting.cgi with shell metacharacters (;, |, &&, $(, backtick)
• Outbound connections from camera IPs to unexpected destinations
• DNS queries from camera IPs to uncommon external hosts

SIEM Rule (Suricata)

alert http any any -> $CAMERA_SUBNET any (
  msg:"CVE-2026-42364 GeoVision DdnsSetting.cgi Command Injection Attempt";
  flow:to_server,established;
  http.uri; content:"/DdnsSetting.cgi";
  http.request_body; pcre:"/DdnsHost=[^&]*[;|`$()]/";
  sid:20264236401;
  rev:1;
)

Historical Context: IoT Camera Vulnerabilities

OS command injection in IP camera CGI scripts is a recurring and well-documented vulnerability class. GeoVision cameras have appeared in prior CVEs, and the broader IP camera ecosystem has a long history of similar flaws:

IP cameras are attractive botnet targets because they are always-on, typically unmonitored, and often connected to both LAN and internet.

References

• NIST NVD — CVE-2026-42364
• GeoVision Security Advisories
• CWE-78: OS Command Injection

Related Reading

• Actively Exploited NGINX UI Flaw Enables Full Server Takeover
• Critical Unpatched Telnetd Flaw Enables Unauthenticated Root RCE
• CVE-2026-0625: D-Link Router Remote Code Execution