A critical command injection vulnerability in GeoVision GV-I/O Box 4E allows remote attackers to execute system commands through unauthenticated network requests.

The internal library libNetSetObj.so fails to sanitize input before passing it to the system() call within the CNetSetObj::m_F_n_Set_IP_Addr function. This flaw is reachable via the network-exposed DVRSearch service and Network.cgi endpoint, allowing remote command injection.

With a CVSS score of 9.1, this vulnerability poses an extreme risk, as it allows attackers to gain persistent access to the hardware device. This can lead to device takeover, credential theft, and the use of the device as a pivot point for further attacks on the internal network.

Immediate Action: Update the firmware of the GV-I/O Box 4E to the latest version provided by the vendor.

Proactive Monitoring: Monitor network traffic for suspicious requests targeting the DVRSearch service or Network.cgi endpoint, specifically looking for shell metacharacters in parameters.

Compensating Controls: Restrict network access to the management interfaces of the I/O Box using network segmentation or firewall rules to limit exposure to trusted internal segments only.

Public Exploit Available: No

This vulnerability highlights significant security deficiencies in the device's network configuration handling. Administrators must apply the latest firmware updates immediately and restrict management access to the device to mitigate the risk of remote exploitation.