A critical OS command injection vulnerability in the GeoVision GV-I/O Box 4E allows unauthenticated attackers to execute arbitrary system commands via the DNS configuration interface.

The CNetSetObj::m_F_n_Set_DNS_Addr function fails to sanitize user-supplied DNS addresses before executing them as shell commands. This allows an unauthenticated attacker to inject arbitrary commands through the DVRSearch service or Network.cgi.

The CVSS score of 9.1 reflects the high severity of this vulnerability. Successful exploitation permits an attacker to execute commands with the privileges of the application, which could lead to full system takeover and persistent unauthorized access to the environment.

Immediate Action: Update the GeoVision GV-I/O Box 4E to the latest firmware version released by the vendor.

Proactive Monitoring: Review system configuration logs and monitor for unexpected changes to /etc/resolv.conf or other system files.

Compensating Controls: Restrict network access to the device so that only trusted management consoles can interact with the vulnerable network configuration endpoints.

Public Exploit Available: Unknown

Given the critical nature of this vulnerability and its potential for remote exploitation, immediate remediation is required. Security teams should ensure the latest firmware is deployed across all affected devices to prevent potential system compromise.