A critical stack overflow in the GeoVision GV-VMS WebCam Server allows unauthenticated remote attackers to achieve full code execution as SYSTEM.

The vulnerability exists due to an unconstrained sscanf call when processing authorization strings. If the username or password fields exceed 40 characters, a stack overflow occurs, permitting an attacker to execute code as SYSTEM.

With a CVSS score of 9.0, this vulnerability is highly critical. An attacker can compromise the entire machine hosting the GV-VMS service, leading to total loss of confidentiality, integrity, and availability for the surveillance infrastructure.

Immediate Action: Apply the latest firmware/software update for GeoVision GV-VMS to resolve the sscanf boundary checking issue.

Proactive Monitoring: Monitor for login attempts with malformed or excessively long credentials and watch for unexpected service behavior or system crashes.

Compensating Controls: Implement network-level access controls to restrict access to the WebCam Server and use a WAF to inspect and truncate overly long authorization headers.

Public Exploit Available: false

This flaw allows for remote code execution without authentication, presenting an extreme risk. Immediate patching is required to prevent attackers from gaining full control of the affected systems.