Executive Summary
A critical unauthenticated stack-based buffer overflow vulnerability has been identified in the ssvr streaming service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier). Tracked as CVE-2026-57879 with a CVSS score of 9.8 (Critical), the vulnerability is exploitable by a remote unauthenticated attacker who sends specially crafted RTSP custom authentication data, potentially leading to arbitrary code execution.
CVSS Score: 9.8 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-57879 |
| CVSS Score | 9.8 (Critical) |
| Type | Stack-Based Buffer Overflow |
| Component | ssvr (RTSP streaming server) |
| Attack Vector | Network |
| Authentication | None required |
| Privileges Required | None |
| User Interaction | None |
| Availability Impact | High |
| Confidentiality Impact | High |
| Integrity Impact | High |
Root Cause
The ssvr (streaming server) component in GeoVision LPC cameras exposes an RTSP interface for video streaming. When processing RTSP custom authentication data, the service copies attacker-supplied data into a stack buffer without validating its length. An oversized authentication payload can overflow the buffer, corrupting stack frames and enabling an attacker to redirect execution to arbitrary code.
Affected Products
| Product | Affected Firmware | Fixed Version |
|---|---|---|
| GeoVision GV-LPC2011 | V1.12 and earlier | TBD |
| GeoVision GV-LPC2211 | V1.12 and earlier | TBD |
Technical Analysis
Attack Mechanism
RTSP (Real Time Streaming Protocol) is used by GeoVision LPC cameras for delivering live video streams. The ssvr daemon listens for incoming RTSP connections (typically TCP port 554). An attacker can:
- Connect to the RTSP service on the camera (no authentication required to initiate).
- Send a crafted RTSP message containing oversized custom authentication data.
- The
ssvrservice copies the supplied data into a fixed-size stack buffer without bounds checking. - The stack overflow overwrites the return address or function pointers.
- The attacker gains arbitrary code execution — potentially as root — on the embedded device.
RTSP Exposure
RTSP on port 554 is frequently opened in firewall rules to allow remote viewing of camera feeds, making this attack surface commonly reachable from untrusted or semi-trusted networks. Many deployments expose RTSP directly to the internet or corporate WAN for monitoring purposes, significantly widening the attack surface.
Risk Assessment
Deployment Context
GeoVision LPC cameras are widely deployed for:
- License plate recognition at parking facilities
- Physical access control at building entrances
- Traffic management and law enforcement support systems
Potential Impact
- Arbitrary remote code execution on the camera
- Camera feed manipulation or disabling — bypassing physical security
- Network persistence — using the camera as a foothold to attack internal network resources
- Data exfiltration — accessing captured license plate images and recognition data
Remediation
Immediate Steps
- Monitor for firmware patches from GeoVision and apply when available.
- Block external access to RTSP (port 554) from untrusted networks at the perimeter firewall.
- Move cameras to an isolated IoT VLAN with no direct internet connectivity.
- Review whether RTSP streaming is required from untrusted network zones; disable if not needed.
Network Mitigations
| Control | Action |
|---|---|
| Firewall | Block TCP 554 inbound from untrusted/internet sources |
| VLAN isolation | Segment camera networks from corporate IT infrastructure |
| IDS/IPS | Alert on malformed RTSP authentication payloads targeting GeoVision devices |
| VPN | Require VPN access before any RTSP viewing is permitted |
Detection
Network Indicators
| Indicator | Description |
|---|---|
| Oversized RTSP auth payloads to camera IP range | Potential exploitation attempt |
| Unexpected outbound TCP connections from camera IPs | Post-exploitation lateral movement or C2 |
| Camera service crashes or unexpected reboots | Buffer overflow causing instability |
Key Takeaways
- CVSS 9.8 Critical — Unauthenticated overflow via RTSP streaming interface.
- RTSP is commonly internet-exposed on surveillance camera deployments — broad attack surface.
- No credentials required — Any internet-reachable camera running firmware V1.12 or earlier is at risk.
- Part of a cluster of four critical CVEs affecting the same GeoVision LPC camera platform.
- Isolate and patch — Block RTSP externally until GeoVision releases patched firmware.