CVE-2026-42364 PUBLISHED

GeoVision LPC2011/LPC2211 Web Interface / DdnsSetting.cgi OS command injection vulnerability

Assigner: GV
Reserved: 26.04.2026 Published: 04.05.2026 Updated: 04.05.2026

An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	GeoVision Inc.
Product	GV-LPC2011/LPC2211
Versions	Default: unaffected Version 1.10 is affected Version 1.12 is unaffected

Solutions

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.

The user may visit GeoVision website or contact GeoVision Support team for firmware update.

Credits

Philippe Laulheret of Cisco Talos. finder
Kelly Patterson of Cisco Talos. remediation reviewer
Martin Zeiser of Cisco Talos. coordinator

References

Problem Types

CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection') CWE

Impacts

CAPEC-88 OS Command Injection