CVE-2026-42365 PUBLISHED

GeoVision LPC2011/LPC2211 Web Interface guessable session cookie vulnerability

Assigner: GV
Reserved: 26.04.2026 Published: 04.05.2026 Updated: 04.05.2026

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS Score: 8.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	GeoVision Inc.
Product	GV-LPC2011/LPC2211
Versions	Default: unaffected Version 1.10 is affected Version 1.12 is unaffected

Solutions

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.

The user may visit the GeoVision website or contact the GeoVision Support team for firmware update.

Credits

Philippe Laulheret of Cisco Talos. finder
Kelly Patterson of Cisco Talos. remediation reviewer
Martin Zeiser of Cisco Talos. coordinator

References

Problem Types

CWE-341 Predictable from observable state CWE

Impacts

CAPEC-112 Brute Force
CAPEC-115 Authentication Bypass