An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.
The vulnerability exists in the DdnsSetting.cgi component responsible for DDNS configuration handling. An attacker with network access can submit a specially crafted DDNS configuration containing malicious input. Insufficient validation of configuration values causes this data to be passed directly to a system shell call (OS command injection), resulting in the execution of arbitrary commands in the context of the device.
An attacker can remotely execute arbitrary system commands on the vulnerable device, gaining full control over its operation, and potentially also over the network to which it is connected — including the ability to read and modify data as well as disrupt service availability.
Apply patches available from the manufacturer according to the references (https://www.geovision.com.tw/cyber_security.php). Until the update is applied, it is recommended to restrict network access to the device management interface only to trusted hosts and isolate devices in a dedicated network segment.
GeoVision GV-LPC2011 and GV-LPC2211 with firmware version 1.10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HGeovision Gv Lpc2011
HWGeovisionwszystkie wersjeGeovision Gv Lpc2011 Firmware
OSGeovision1.10Geovision Gv Lpc2211
HWGeovisionwszystkie wersjeGeovision Gv Lpc2211 Firmware
OSGeovision1.10
Related vulnerabilities
Privilege escalation w interfejsie Web GeoVision LPC2011/LPC2211
A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC221...
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...
Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/...