A critical stack-based buffer overflow in GeoVision GV-VMS allows unauthenticated remote attackers to achieve full code execution as SYSTEM due to the absence of ASLR.

The vulnerability occurs in the gvapi endpoint, which fails to perform bounds checking when processing base64-decoded strings from the HTTP Authorization header. This allows an attacker to overwrite the stack, leading to arbitrary code execution.

Given the CVSS score of 10, this is a maximum-severity vulnerability. Exploitation allows an attacker to gain full control over the host running the GV-VMS service with SYSTEM privileges, enabling data theft, lateral movement, and complete compromise of the surveillance network.

Immediate Action: Apply the vendor-provided security update for GV-VMS V20 immediately.

Proactive Monitoring: Monitor for anomalous spikes in traffic to the gvapi endpoint and review host logs for unauthorized binary execution or service crashes.

Compensating Controls: If a patch cannot be applied, disable the "WebCam Server" feature if it is not strictly required for business operations.

Public Exploit Available: false

This vulnerability requires urgent remediation. The lack of ASLR in the affected component makes exploitation highly reliable; therefore, administrators must prioritize updating the GV-VMS software to prevent potential system-wide compromise.