TL;DR
GeoVision disclosed 10 flaws in its GV-LPC2011 and GV-LPC2211 license plate cameras. All affect firmware V1.12 and earlier. Every bug is unauthenticated and remote, and four score 9.8 with possible remote code execution.
Why It Matters
These cameras read license plates at gates, car parks, and checkpoints. They often sit on networks beside other security gear. Every flaw in this advisory is unauthenticated and remote. Therefore, an attacker needs no login to reach them. The advisory states that “a remote attacker may exploit” each issue with a crafted request. These GeoVision camera vulnerabilities put both the device and its wider network at risk. A compromised camera can also serve as a foothold for deeper attacks. Researchers from Nanjing University of Posts and Telecommunications and Hong Kong Polytechnic University reported the bugs.
How the Attack Works
The flaws span several services. CVE-2026-57872 is a directory traversal bug in get_fcont.cgi that leaks files. Several other bugs crash CGI components through NULL pointer or bounds errors, which causes denial of service. CVE-2026-57873 and CVE-2026-57875 fall in this group. CVE-2026-57876 triggers an out-of-bounds write in onvif.cgi. The four critical issues are stack-based buffer overflows in the thttpd, ssvr, and vlsvr services. Two of them target RTSP authentication data, while the others abuse web and login parameters. Each one parses attacker-controlled input without proper length checks. As a result, an overly long request can corrupt memory and may run code. A format string bug in vlsvr (CVE-2026-57877) adds another route to disclosure or crashes.
Affected Versions
All of these GeoVision camera vulnerabilities affect GV-LPC2011 and GV-LPC2211 on firmware V1.12 or earlier. No other models appear in the advisory. Owners should check their firmware version through the device web interface.
Patch and Mitigation
GeoVision fixed all 10 issues in firmware V1.13. Update through GeoVision’s download page right away. Until you patch, keep these cameras off the public internet. Place them behind a firewall and restrict access to trusted hosts. Disable any unused services, such as ONVIF or RTSP, where possible. You can read the full details in the GeoVision security advisory. These GeoVision camera vulnerabilities have no confirmed public proof-of-concept and no in-the-wild exploitation. Still, unauthenticated network bugs draw fast attention, so patch quickly.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.