Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. GeoVision LPC Camera Critical RCE via ssvr RTSP Digest Auth Buffer Overflow (CVE-2026-57880)
GeoVision LPC Camera Critical RCE via ssvr RTSP Digest Auth Buffer Overflow (CVE-2026-57880)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-57880

GeoVision LPC Camera Critical RCE via ssvr RTSP Digest Auth Buffer Overflow (CVE-2026-57880)

A critical unauthenticated stack-based buffer overflow in GeoVision GV-LPC2011 and GV-LPC2211 cameras allows remote code execution by exploiting...

Dylan H.

Security Team

June 26, 2026
5 min read

Affected Products

  • GeoVision GV-LPC2011 V1.12 and earlier
  • GeoVision GV-LPC2211 V1.12 and earlier

Executive Summary

A critical unauthenticated stack-based buffer overflow has been disclosed in the ssvr RTSP streaming daemon of GeoVision GV-LPC2011 and GV-LPC2211 cameras (firmware V1.12 and earlier). Assigned CVE-2026-57880 with a CVSS score of 9.8 (Critical), this vulnerability specifically occurs during parsing of RTSP Digest authentication fields, allowing an unauthenticated remote attacker to execute arbitrary code on affected devices.

CVSS Score: 9.8 (Critical)


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-57880
CVSS Score9.8 (Critical)
TypeStack-Based Buffer Overflow
Componentssvr (RTSP streaming server) — Digest authentication parser
Attack VectorNetwork
AuthenticationNone required
Privileges RequiredNone
User InteractionNone
Availability ImpactHigh
Confidentiality ImpactHigh
Integrity ImpactHigh

Root Cause

This vulnerability is distinct from CVE-2026-57879 in that it targets the Digest authentication parsing logic within the same ssvr component, rather than custom authentication data. RTSP Digest authentication (modeled after HTTP Digest Auth — RFC 2617) involves multiple fields such as username, realm, nonce, uri, and response. The ssvr daemon fails to validate the length of one or more of these fields before copying them into stack-allocated buffers, enabling an overflow that can corrupt the return address and hijack execution flow.


Affected Products

ProductAffected FirmwareFixed Version
GeoVision GV-LPC2011V1.12 and earlierTBD
GeoVision GV-LPC2211V1.12 and earlierTBD

Technical Analysis

Digest Authentication as an Attack Surface

RTSP Digest authentication is a challenge-response mechanism intended to protect streaming access. During the authentication handshake:

  1. Client sends an initial RTSP request (e.g., DESCRIBE).
  2. Server responds with 401 Unauthorized and a WWW-Authenticate: Digest realm=... header.
  3. Client re-sends the request with an Authorization: Digest ... header containing fields like username, realm, nonce, uri, response, and opaque.

The GeoVision ssvr daemon parses these Authorization: Digest fields without bounds checking. By crafting a request with an oversized value in one or more Digest fields, an attacker can:

  • Overflow a stack buffer during field parsing
  • Overwrite adjacent stack memory including the return address
  • Redirect execution to attacker-controlled code

This attack occurs at the authentication processing stage — before any valid credential check — meaning no prior authentication is needed to trigger the vulnerability.

Relationship to CVE-2026-57879

Both CVE-2026-57879 and CVE-2026-57880 affect the ssvr component and are stack-based buffer overflows exploitable via RTSP. They differ in the specific code path triggered:

  • CVE-2026-57879: Overflow in custom authentication data processing
  • CVE-2026-57880: Overflow in standard RTSP Digest authentication field parsing

Both must be treated as independent vulnerabilities requiring separate analysis in exploit development and patch verification.


Risk Assessment

Exposure Profile

  • RTSP (port 554) is widely opened on firewalls for camera streaming
  • Digest authentication was intended as a security improvement over basic auth but becomes an attack vector here
  • Cameras are frequently deployed at critical physical security points (entrances, parking, access control)
  • Attackers could use a compromised camera as a stealthy internal network foothold

Business Impact

Impact CategoryDescription
Physical SecurityDisable or tamper with license plate recognition and surveillance
Data BreachAccess captured plate images and recognition logs
Network InfiltrationUse camera as pivot point into corporate LAN
Service DisruptionCrash or brick camera via uncontrolled overflow

Remediation

Priority Actions

  1. Apply firmware patches from GeoVision upon release — verify V1.13 or later addresses CVE-2026-57880.
  2. Block RTSP access (TCP 554) at perimeter and internal firewalls for camera segments.
  3. Require VPN for all remote camera viewing — do not expose RTSP directly.
  4. Network segment cameras on a dedicated IoT VLAN with egress filtering.
  5. Audit current exposure — scan for GeoVision LPC cameras reachable from internet or corporate WAN.

Compensating Controls

ControlEffectiveness
Firewall block on TCP 554Eliminates remote exploitability
VLAN isolationLimits lateral movement post-compromise
IDS signature for oversized RTSP Digest fieldsDetects active exploitation attempts
Firmware monitoringAlerts when vendor patch becomes available

Key Takeaways

  1. CVSS 9.8 Critical — Unauthenticated RCE via RTSP Digest authentication parsing flaw.
  2. Authentication mechanisms can themselves be attack surfaces when implementations lack bounds checking.
  3. Part of a four-CVE cluster affecting GeoVision LPC cameras — treat as a systemic firmware quality issue.
  4. RTSP port 554 is commonly exposed — urgently review firewall rules for all GeoVision camera deployments.
  5. Patch and isolate pending GeoVision firmware release.

References

  • NVD — CVE-2026-57880
  • RFC 2617 — HTTP Authentication: Basic and Digest Access Authentication
  • GeoVision Official Website

Related Advisories

  • GeoVision LPC Camera thttpd Web Server Buffer Overflow (CVE-2026-57878)
  • GeoVision LPC Camera ssvr RTSP Custom Auth Buffer Overflow (CVE-2026-57879)
  • GeoVision LPC Camera vlsvr Remote Login Buffer Overflow (CVE-2026-57881)
#GeoVision#CVE-2026-57880#Buffer Overflow#RTSP#Digest Authentication#IoT Security#IP Camera#RCE

Related Articles

GeoVision LPC Camera Critical RCE via ssvr RTSP Auth Buffer Overflow (CVE-2026-57879)

A critical unauthenticated stack-based buffer overflow in the ssvr RTSP service of GeoVision GV-LPC2011 and GV-LPC2211 cameras allows remote attackers to...

4 min read

GeoVision LPC Camera Critical RCE via thttpd Buffer Overflow (CVE-2026-57878)

A critical unauthenticated stack-based buffer overflow in thttpd on GeoVision GV-LPC2011 and GV-LPC2211 cameras allows remote attackers to execute...

5 min read

GeoVision LPC Camera Critical RCE via vlsvr Remote Login Buffer Overflow (CVE-2026-57881)

A critical unauthenticated stack-based buffer overflow in the vlsvr daemon of GeoVision GV-LPC2011 and GV-LPC2211 cameras allows remote code execution...

6 min read
Back to all Security Alerts