CRITICAL🇵🇱 Wersja polska

CVE-2026-42368

CVSS 9.9v3.1pub. 2026-05-04upd. 2026-06-15

A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.

🤖 AI Analysis
How it works

The vulnerability results from improper authorization verification (CWE-266) in the device's web interface layer. An attacker authenticated as a user with low privilege level can send a specially crafted HTTP request that causes execution of operations reserved for the administrator. Exploiting the vulnerability only requires visiting an appropriately prepared page or sending a request to a specific web endpoint without requiring any interaction on the victim's side.

Impact

An attacker can gain full control of the device by performing privileged operations — which with a changed scope vector (Scope: Changed) can result in compromising the confidentiality, integrity and availability of both the device itself and systems associated with it.

Mitigation & patch

Apply patches available from the manufacturer in accordance with the references (https://www.geovision.com.tw/cyber_security.php). Additionally, it is recommended to restrict access to the web interface of devices exclusively to trusted networks and implement multi-factor authentication mechanisms where possible.

Who is affected

GeoVision GV-LPC2011 and GV-LPC2211 with firmware version 1.10

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Geovision Gv Lpc2011

    HW
    Geovision
    wszystkie wersje
  • Geovision Gv Lpc2011 Firmware

    OS
    Geovision
    1.10
  • Geovision Gv Lpc2211

    HW
    Geovision
    wszystkie wersje
  • Geovision Gv Lpc2211 Firmware

    OS
    Geovision
    1.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2026-42364CRITICAL9.9PL ✓ten sam produkt

Command injection w GeoVision LPC2011/LPC2211 via konfiguracja DDNS

CVE-2026-42365HIGH8.6ten sam produkt

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC221...

CVE-2026-42366HIGH7.4ten sam produkt

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...

CVE-2026-7371HIGH7.4ten sam produkt

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionali...

CVE-2026-42367MEDIUM6.5ten sam produkt

A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/...