GeoVision GV-I/O Box 4E DVRSearch Unauthenticated Stack Buffer Overflow RCE (CVE-2026-12485)
by Cisco Talos Intelligence (discovery, TALOS-2026-2377); Ashraf Zaryouh / 0xBlackash (PoC) · 2026-06-30
- Severity
- Critical
- CVE
- CVE-2026-12485
- Category
- network
- Affected product
- GeoVision GV-I/O Box 4E (Linux-based smart embedded I/O device)
- Affected versions
- Firmware v2.09 and earlier
- Disclosed
- 2026-06-30
- Patch status
- patched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-30 |
| Last Updated | 2026-06-30 |
| Author / Researcher | Cisco Talos Intelligence (discovery, TALOS-2026-2377); Ashraf Zaryouh / 0xBlackash (PoC) |
| CVE / Advisory | CVE-2026-12485 |
| Category | network |
| Severity | Critical |
| CVSS Score | 10.0 (CVSSv3.1; AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
| Status | PoC |
| Tags | RCE, unauthenticated, stack-overflow, buffer-overflow, IoT, GeoVision, DVR, embedded, UDP, network, Python, CVSS-10 |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | GeoVision GV-I/O Box 4E (Linux-based smart embedded I/O device) |
| Versions Affected | Firmware v2.09 and earlier |
| Language / Platform | Python (PoC); Linux ARM/MIPS (target firmware) |
| Authentication Required | No (unauthenticated, network-accessible) |
| Network Access Required | Yes (UDP port 10001) |
Summary
CVE-2026-12485 is a CVSS 10.0 unauthenticated stack-based buffer overflow in the GeoVision GV-I/O Box 4E, a Linux-based smart I/O device used in physical security and building automation. The DVRSearch service listens on UDP port 10001 and handles CMD_IP_SET commands for network configuration. The handler performs an unsafe memcpy() of user-controlled data into a fixed-size stack buffer without length validation, enabling remote code execution with no authentication required. Discovered by Cisco Talos Intelligence (TALOS-2026-2377). Fixed in firmware v2.12.
Vulnerability Details
Root Cause
In the DVRSearch service’s CMD_IP_SET handler, the IP address field from the incoming UDP packet is copied into a fixed-size stack buffer:
| |
The length parameter v3 is taken directly from the attacker-controlled packet without bounds checking. Sending a payload larger than the stack buffer overwrites the return address and enables arbitrary code execution.
CWE-121 (Stack-Based Buffer Overflow).
Attack Steps
- Identify the target device on the network (UDP/10001 responds to probe packets).
- Craft a malicious UDP
CMD_IP_SETpacket with an oversized IP address field. - Send the packet to UDP port 10001 on the target device.
- Stack buffer overflow overwrites the return address; payload executes as root on the device.
Impact
- Full unauthenticated remote code execution as root on the embedded device.
- Complete device compromise: firmware modification, persistence, pivot to adjacent networks.
- Physical security risk: GV-I/O Box 4E controls physical I/O such as door locks, alarms, and access control relays.
- Device not authenticated by default; typically internet- or LAN-exposed in building automation environments.
Environment / Lab Setup
Target: GeoVision GV-I/O Box 4E, firmware v2.09 or earlier
Attacker: Python 3 with socket library
Network: UDP/10001 reachable from attacker
Proof of Concept
Detection / Checker Script
The PoC (CVE-2026-12485.py) is a safe detection script that probes for the DVRSearch service and performs length tests without triggering the overflow:
| |
Expected Output (Vulnerable Device)
[*] Sending probe to 192.168.1.50:10001...
[*] Received response (128 bytes) from 192.168.1.50:10001
[*] DVRSearch service detected.
[*] Length test — Size 50 -> Response received (128 bytes)
[*] Length test — Size 100 -> Response received (128 bytes)
[*] Length test — Size 200 -> Response received (128 bytes)
[!] Service appears active. Update firmware immediately (GV-IOBOX_2026-06-01).
Detection & Indicators of Compromise
| |
Mitigation (without patching):
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Update to GeoVision firmware v2.12 (GV-IOBOX_2026-06-01) via official GeoVision security channels |
| Network | Place GV-I/O Box devices behind firewall; block UDP/10001 from untrusted segments |
| Isolate | Segment IoT/physical security devices on dedicated VLAN with no direct internet access |
References
| |