CVE-2024-11120 (CVSS 9.8): OS Command Injection Flaw in GeoVision Devices Actively Exploited, No Patch
The Taiwan Computer Emergency Response Team / Coordination Center (TWCERT/CC) has issued a warning about an actively exploited critical vulnerability in certain end-of-life (EOL) GeoVision devices. Tracked as CVE-2024-11120 with a CVSS score of 9.8, this vulnerability allows unauthenticated remote attackers to execute arbitrary system commands, posing a significant risk to users of the affected devices.
The vulnerability stems from an OS Command Injection flaw in GeoVision devices, which enables attackers to inject and execute arbitrary commands on the system without requiring authentication. According to TWCERT/CC, “Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.”
The vulnerability affects the following EOL GeoVision devices:
- GV-VS12
- GV-VS11
- GV-DSP_LPR_V3
- GVLX 4 V2
- GVLX 4 V3
As these devices are no longer supported, no patches or updates will be issued to address the flaw.
The vulnerability was identified by Piotr Kijewski from The Shadowserver Foundation, whose efforts in uncovering and reporting the issue have been acknowledged by TWCERT/CC. The Shadowserver Foundation has observed a botnet targeting this flaw.
We observed a 0day exploit in the wild used by a botnet targeting GeoVision EOL devices. The pre-auth command injection vulnerability was verified in collaboration with TWCERT & GeoVision & assigned CVE-2024-11120 (CVSS 9.8)https://t.co/DflYdYZzto
NVD: https://t.co/r5xKP1nocq pic.twitter.com/A2kA0LeXdP
— The Shadowserver Foundation (@Shadowserver) November 15, 2024
The active exploitation of CVE-2024-11120 underscores the importance of maintaining up-to-date security practices and replacing unsupported hardware. Users are recommended to remove from GeoVision devices the Internet and replace them. Organizations relying on GeoVision devices listed in the advisory should act swiftly to prevent further compromise.
