8 Takeover Flaws in GeoVision GV-I/O Box 4E (CVE-2026-12485 and more) — Update to v2.12 Now
GeoVision's GV-I/O Box 4E, a device that controls alarms and electric locks alongside surveillance cameras, has 8 vulnerabilities allowing remote takeover without a password. The top severity is CVSS 10.0. Firmware 2.09 is affected; update to the fixed v2.12. Left unpatched, the device can become a stepping stone for attacks or network intrusion.
Makoto Horikawa
Backend Engineer / AWS / Django
GeoVision's GV-I/O Box 4E, a device that controls alarms and electric locks alongside surveillance cameras, has 8 vulnerabilities allowing remote takeover without a password. The top severity is CVSS 10.0. Firmware 2.09 is affected; update to the fixed v2.12. Left unpatched, the device can become a stepping stone for attacks or network intrusion.
A small device used to connect alarm sensors and electric locks to surveillance camera systems, the GeoVision "GV-I/O Box 4E," has been found to contain 8 vulnerabilities (software flaws) that allow it to be hijacked remotely without a password. Four of them carry the maximum severity rating of CVSS 10.0.
The flaws were discovered by Cisco Talos, Cisco's research team. The affected version is the older firmware (the software inside the device) version 2.09, and the manufacturer has already released a fixed version, v2.12. If left unpatched, the device can be fully taken over across the internet, risking false operation of connected alarms and doors, or becoming a foothold for intrusion into the internal network.
What exactly is the GV-I/O Box 4E?
GeoVision is a Taiwanese security-equipment maker that sells surveillance cameras, recording systems, and access-control systems worldwide. The GV-I/O Box 4E at issue here is a relay device that connects "sensors and switches" to those surveillance systems.
Specifically, it has 4 inputs (which receive signals from sensors, fire alarms, and so on) and 4 outputs (which turn electric locks, alarm buzzers, warning lights, etc. on and off). It connects to the network with an Ethernet cable and supports PoE (power over the LAN cable). It also offers remote operation from a smartphone app.
In short, it is a behind-the-scenes device that handles physical actions such as "unlocking a door" or "sounding an alarm" over the network at stores, offices, factories, and other facilities. It is unglamorous, but it falls into the category of equipment whose compromise can have a large impact.
Who targets it, what they do, and what happens
What happens when this device is targeted? Here is a plain-language breakdown.
The first to come after it are attackers who automatically scan for security devices exposed on the internet, and operators of "botnets" that herd hijacked devices to attack others. Network devices like the GV-I/O Box are often left without firmware updates for years after installation, making them an ideal target for such actors.
What they do is simple. By sending a single crafted piece of data to the communication port the device is listening on, they can run any program they like inside the device without logging in. Most of these 8 flaws require no user ID and no password at all.
Once a takeover succeeds, the damage spreads in two directions. One is physical damage. If an attacker can freely operate the electric locks and alarms connected to the GV-I/O Box, that can lead to faking a locked state or disabling alarms. The other is damage to the whole network. A hijacked device can be used as a "stepping stone" to break into recording servers or business systems on the same network, or be conscripted into a botnet that attacks other sites.
The pattern of surveillance cameras and IoT devices being hijacked and turned into attack tools has recurred in recent years. Vulnerabilities confirmed to be under active attack can be tracked in a list published by the U.S. agency CISA. We maintain a Japanese-language overview in our CISA KEV Dashboard (Japanese edition), a useful gauge for checking whether your own devices have entered the "actively attacked" stage.
How it reached disclosure
A fixed version is already out. Here is the timeline from discovery to disclosure.
← Swipe to move
What the 8 vulnerabilities are
The 8 split into two groups. The first 4 are "buffer overflows" that can be exploited without a password (a flaw where received data overflows its allotted storage and overwrites another area), all rated CVSS 10.0. The latter 4 are "command injection" flaws that slip commands into the device (a flaw where input is executed directly as a command inside the device), rated CVSS 9.1.
| CVE ID | Type | Severity (CVSS) | Login needed? | Affected field |
|---|---|---|---|---|
| CVE-2026-12485 | Buffer overflow | 10.0 | No | IP address field |
| CVE-2026-12846 | Buffer overflow | 10.0 | No | Net mask field |
| CVE-2026-12847 | Buffer overflow | 10.0 | No | Gateway field |
| CVE-2026-12848 | Buffer overflow | 10.0 | No | DNS field |
| CVE-2026-12486 | Command injection | 9.1 | Yes (high priv.) | IP address handling |
| CVE-2026-12849 | Command injection | 9.1 | Yes (high priv.) | Net mask setting |
| CVE-2026-12850 | Command injection | 9.1 | Yes (high priv.) | Gateway setting |
| CVE-2026-12851 | Command injection | 9.1 | Yes (high priv.) | DNS setting |
CVE-2026-12485 / 12846 / 12847 / 12848: four flaws hijackable without a password (CVSS 10.0)
These 4 all occur in a function called "DVRSearch" that the device constantly listens for on the network. DVRSearch is a service for discovering devices; it waits on UDP port 10001 (a communication entry point) and anyone on the network can send it messages without authentication.
When it receives a command to change network settings (CMD_IP_SET), the device reads the supplied values into internal storage, up to 1,460 bytes. However, in each of the IP address field, net mask field, gateway field, and DNS field, it copies the data without checking its length. As a result, the data overflows the storage and the attacker can run arbitrary programs inside the device. Because no login is required at all, all 4 are rated the maximum CVSS 10.0.
CVE-2026-12486 / 12849 / 12850 / 12851: four flaws that slip in commands (CVSS 9.1)
The remaining 4 are in a component inside the device that handles network configuration, a library called "libNetSetObj.so." This library is a central part that configures the IP address, net mask, gateway, and DNS, and starts and stops various services.
The problem is that it executes received values directly as the device's OS commands (the system function) without checking them. For example, the gateway setting routine (m_F_n_Set_Gate_way) runs the passed string as a command as-is. The same problem was found in the net mask setting, DNS setting, and IP address setting. These routines can be reached both from the aforementioned DVRSearch and from "Network.cgi," which runs behind the settings screen. These require higher privileges, so the CVSS is 9.1, but combined with the takeover flaws above they can form a single attack chain.
A quick check of whether your device is affected
The affected firmware is 2.09. The fixed version 2.12 resolves all 8 flaws. First, check your device's version in the management screen.
| Firmware version | Effect of the 8 | Priority | What to do |
|---|---|---|---|
| v2.09 (and earlier) | Affected (takeover risk) | Top | Update to v2.12 now |
| v2.12 (and later) | Not affected (fixed) | — | No action if applied |
| Version unknown | Needs checking | High | Check screen, update |
What to do now
The top priority is to update to the fixed version v2.12. GeoVision released the fix on April 28, 2026, about one week after being notified. Update steps and the latest firmware can be found on GeoVision's security information page and product support.
If you cannot update immediately, three mitigations help. First, do not expose the GV-I/O Box directly to the internet; a state reachable from outside is the most dangerous. Second, restrict access to UDP port 10001, which the device listens on, to a trusted management network only. Third, segment your security devices away from the business network (separate and isolate the networks) so that even if one is hijacked, the damage does not spread.
These basics, "do not leave network devices unattended, narrow the entry points, and isolate them," apply to all IoT devices, including surveillance cameras and routers. The vulnerabilities attackers are actively exploiting keep growing, so we recommend regularly checking whether your devices are listed in the CISA KEV Dashboard (Japanese edition).
Summary
The 8 vulnerabilities found in the GeoVision GV-I/O Box 4E include ones that allow remote takeover of the device without a password, with a maximum rating of CVSS 10.0, the most severe. In response to the report from Cisco Talos, who discovered them, the manufacturer has already released the fixed version v2.12.
Because this device handles alarms and electric locks in security systems, a takeover can lead to both physical damage and network intrusion. Devices that tend to be forgotten after installation are exactly the ones most likely to be targeted, so it is worth re-checking the version and promptly updating older units. If new vulnerabilities concerning the GV-I/O Box emerge, we will track them by adding to this article.
References
- ▸Cisco Talos - TALOS-2026-2377 (GV-I/O Box 4E buffer overflow)
- ▸GeoVision - Cyber Security (security information page)
- ▸GeoVision - GV-I/O Box 4E product page
- ▸NVD - CVE-2026-12485 (IP address field buffer overflow)
- ▸NVD - CVE-2026-12846 (net mask field buffer overflow)
- ▸NVD - CVE-2026-12847 (gateway field buffer overflow)
- ▸NVD - CVE-2026-12848 (DNS field buffer overflow)
- ▸NVD - CVE-2026-12486 (IP address setting command injection)
- ▸NVD - CVE-2026-12849 (net mask setting command injection)
- ▸NVD - CVE-2026-12850 (gateway setting command injection)
- ▸NVD - CVE-2026-12851 (DNS setting command injection)
- ▸Vulnerability-Lookup - CVE-2026-12846