GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Gateway field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v7 = strlen(g_network_config->gateway); memcpy(&reply_buf[216], g_network_config->gateway, v7);
The DVRSearch service operates by default on the device and listens for UDP messages on port 10001 — it is accessible to every user on the network without authentication. When receiving UDP messages, the service reads up to 1460 bytes into a local buffer, and a pointer to this buffer is stored in a global variable. The critical flaw lies in the 'gateway' field: the code calls the memcpy function, copying the contents of the gateway field from the network configuration into a local stack buffer without verifying data length, allowing an attacker to perform a controlled stack overflow.
An attacker can cause arbitrary code execution on the device (RCE) or make it unavailable. Due to the lack of authentication requirements and network attack vector, successful exploitation of the vulnerability gives full control over the device, including its inputs and output relays.
Patches available from the manufacturer should be applied in accordance with the references (https://www.geovision.com.tw/cyber_security.php). Until the update is applied, it is recommended to isolate GV-I/O Box 4E devices from untrusted network segments and block access to UDP port 10001 at the firewall level for unauthorized hosts.
GeoVision GV-I/O Box 4E device — specific firmware versions indicated in the manufacturer's references and Talos Intelligence report TALOS-2026-2377.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H