CVE-2018-25118
published 2025-10-20CVE-2018-25118: GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an…
PriorityP189critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.32%
67.2th percentile
GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the vendor. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geovision_inc | geovision_embedded_ip_devices | < November/December 2017 firmware | November/December 2017 firmware |
| geovision_inc | gv-bx1500 | < November/December 2017 firmware | November/December 2017 firmware |
| geovision_inc | gv-mfd1501 | < November/December 2017 firmware | November/December 2017 firmware |
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jw2v-jc28-rfh8: GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch
ghsa_unreviewed·2025-10-21
CVE-2018-25118 [CRITICAL] CWE-78 GHSA-jw2v-jc28-rfh8: GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch
GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.
VulnCheck
geovision gv-bx1500_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2018·CVSS 10.0
CVE-2018-25118 [CRITICAL] geovision gv-bx1500_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
geovision gv-bx1500_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the vendor. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.
Affected: GeoVision GV-BX1500/GV-MFD1501
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2018-25118; https://www.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mcw0/PoC/blob/fb06efe05b7e240dc88ff31eb30e1ef345509dce/Geovision-PoC.py#L15https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249ahttps://www.exploit-db.com/exploits/43982https://www.geovision.com.tw/blog/?cat=14https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgihttps://github.com/mcw0/PoC/blob/fb06efe05b7e240dc88ff31eb30e1ef345509dce/Geovision-PoC.py#L15https://www.exploit-db.com/exploits/43982https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgi
2025-10-20
Published
Exploited in the wild