← Back to Daily Briefing

CVE-2026-12850: Critical Command Injection in GeoVision GV-I/O Box

Published June 25, 2026

CVE-2026-12850 is a critical OS command injection vulnerability (CWE-78) affecting the GeoVision GV-I/O Box, specifically version 4E 2.09. The flaw resides within the libNetSetObj.so shared object library, which manages network objects. Unauthenticated attackers can execute arbitrary system commands by injecting shell metacharacters into crafted inputs passed to the affected library. Successful exploitation grants full administrative access, enabling unauthorized control over connected physical security hardware, such as electronic locks and alarms, while providing a pivot point for lateral movement into sensitive security VLANs. Immediate firmware updates are required to neutralize this risk.

  • Vulnerability Analysis: Technical Root Cause

    • Located within the libNetSetObj.so functional component responsible for network object management.
    • Results from a failure to sanitize user-supplied input before it is passed to the underlying system shell.
    • Enables the use of shell delimiters (;, |, &, `) to append and execute malicious payloads.
  • Attack Vector: Exploitation Path

    • Attackers target management interfaces or API endpoints that interface directly with the vulnerable library.
    • Requires no authentication or minimal privileges to deliver the crafted network configuration parameters.
    • Payloads typically involve the deployment of reverse shells or the modification of system binaries for persistence.
  • Impact: Physical and Network Risk

    • Grants complete system compromise, allowing attackers to manipulate physical I/O states, such as unlocking secure doors or disabling alarms.
    • High risk of lateral movement, as these devices are frequently deployed on high-trust, isolated security VLANs.
    • Potential for permanent Denial of Service (DoS) or device bricking through malicious system-level configuration changes.
  • Detection: Indicators of Compromise

    • Presence of unusual command patterns or unexpected shell execution entries in syslog and auth.log.
    • Anomalous outbound network connections from the I/O box to unknown external IP addresses.
    • Unexplained physical security events or log gaps indicating the suppression of alarm triggers.
  • Mitigation: Remediation Strategies

    • Immediate application of the latest vendor-supplied firmware to patch the libNetSetObj.so library.
    • Implementation of strict Access Control Lists (ACLs) to restrict management interface access to authorized administrative hosts.
    • Deployment of WAF rules to detect and block common shell injection patterns in HTTP traffic targeting IoT management ports.

LINK COPIED TO CLIPBOARD