cbcvebase.
CVE-2024-11120
published 2024-11-15

CVE-2024-11120: Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-28
Exploited in the wild
EPSS
28.55%
97.9th percentile
Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.

Affected

5 ranges
VendorProductVersion rangeFixed in
geovisiongv-dsp_lpr_v3
geovisiongv-vs11
geovisiongv-vs12
geovisiongvlx_4_v2
geovisiongvlx_4_v3

Detection & IOCsextracted from sources · hover to see the quote

path/DateSetting.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/DateSetting.cgi"; fast_pattern; http.request_body; content:"szSrvIpAddr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-6047; reference:cve,2024-11120; reference:url,www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; classtype:attempted-admin; sid:2062140; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at 2025_05_06, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to /DateSetting.cgi with the szSrvIpAddr parameter containing OS command injection characters (;, newline, backtick, pipe, $) — monitor for these patterns in POST body to this endpoint.
  • Exploitation is unauthenticated — no session/auth token required; any POST to /DateSetting.cgi from an external IP should be treated as suspicious.
  • Post-compromise payload is a Mirai botnet variant; look for outbound C2 beaconing, DDoS traffic, or cryptomining activity from affected GeoVision devices after exploitation.
  • Approximately 17,000 GeoVision devices are exposed online; prioritize scanning your perimeter for internet-facing GV-VS12, GV-VS11, GV-DSP LPR V3, GV-LX4C V2, and GV-LX4C V3 devices.
  • Behavioral indicators of compromise on affected devices include excessive heat, slowness/unresponsiveness, and arbitrary configuration changes.
  • ·All affected device models (GV-VS12, GV-VS11, GV-DSP LPR V3, GV-LX4C V2/V3) are end-of-life; no vendor patches will be issued. Detection rules should remain permanently active for these devices.
  • ·The Snort/Suricata rule (sid:2062140) is deployed for plaintext (non-TLS) traffic only; encrypted traffic to these devices will not be detected by this signature.
  • ·CISA KEV remediation due date is 2025-05-28; federal agencies must apply mitigations or discontinue use by that date.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.