CRITICAL🇵🇱 Wersja polska

CVE-2026-42364

CVSS 9.9v3.1pub. 2026-05-04upd. 2026-06-15

An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.

🤖 AI Analysis
How it works

The vulnerability exists in the DdnsSetting.cgi component responsible for DDNS configuration handling. An attacker with network access can submit a specially crafted DDNS configuration containing malicious input. Insufficient validation of configuration values causes this data to be passed directly to a system shell call (OS command injection), resulting in the execution of arbitrary commands in the context of the device.

Impact

An attacker can remotely execute arbitrary system commands on the vulnerable device, gaining full control over its operation, and potentially also over the network to which it is connected — including the ability to read and modify data as well as disrupt service availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references (https://www.geovision.com.tw/cyber_security.php). Until the update is applied, it is recommended to restrict network access to the device management interface only to trusted hosts and isolate devices in a dedicated network segment.

Who is affected

GeoVision GV-LPC2011 and GV-LPC2211 with firmware version 1.10

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Geovision Gv Lpc2011

    HW
    Geovision
    wszystkie wersje
  • Geovision Gv Lpc2011 Firmware

    OS
    Geovision
    1.10
  • Geovision Gv Lpc2211

    HW
    Geovision
    wszystkie wersje
  • Geovision Gv Lpc2211 Firmware

    OS
    Geovision
    1.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-42368CRITICAL9.9PL ✓ten sam produkt

Privilege escalation w interfejsie Web GeoVision LPC2011/LPC2211

CVE-2026-42365HIGH8.6ten sam produkt

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC221...

CVE-2026-42366HIGH7.4ten sam produkt

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...

CVE-2026-7371HIGH7.4ten sam produkt

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...

CVE-2026-42367MEDIUM6.5ten sam produkt

A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/...