A critical remote code execution flaw in GeoVision GV-ASWeb 6 allows unauthenticated attackers to gain full system control.

This remote code execution (RCE) vulnerability resides within the Notification Settings module. It allows an attacker to execute arbitrary code on the underlying system, likely without requiring prior authentication.

The CVSS score of 8.8 underscores the High severity of this vulnerability. Compromise of an access control or web management system can lead to total system takeover, unauthorized physical access, and potential pivot points into the internal network.

Immediate Action: Immediately restrict access to the GV-ASWeb interface to trusted internal networks and apply the latest security patches from GeoVision.

Proactive Monitoring: Review system logs for suspicious process creation or unusual outbound network traffic from the GV-ASWeb server.

Compensating Controls: Use a Web Application Firewall (WAF) with rules configured to block suspicious input patterns targeting notification settings.

Public Exploit Available: false

This vulnerability is exceptionally dangerous as it permits remote code execution. Systems running GeoVision GV-ASWeb must be isolated from the public internet immediately and patched to prevent potential exploitation.