A critical OS command injection vulnerability in the GeoVision GV-I/O Box 4E enables unauthenticated remote attackers to execute arbitrary system commands, posing a severe risk to device integrity.

The vulnerability exists within the CNetSetObj::m_F_n_Set_Net_Mask function, which fails to sanitize input before passing it to a system call. This flaw is remotely reachable by unauthenticated attackers via the DVRSearch service or Network.cgi endpoint.

A successful exploit allows full remote command execution with system-level privileges. Given the CVSS score of 9.1, this vulnerability presents a critical risk, potentially leading to total device compromise, unauthorized network access, and the potential for lateral movement within the production environment.

Immediate Action: Update the GeoVision GV-I/O Box 4E firmware to the latest available version provided by the vendor.

Proactive Monitoring: Inspect network traffic for anomalous requests directed at the DVRSearch service or Network.cgi endpoint.

Compensating Controls: Implement strict firewall rules to restrict access to the device management interfaces to authorized IP addresses only, reducing the attack surface.

Public Exploit Available: Unknown

This vulnerability represents a significant security failure that could lead to complete device takeover. Administrators must prioritize applying the vendor-supplied security update immediately to mitigate the risk of remote code execution.