CVE-2024-11120
published 2024-11-15CVE-2024-11120: Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-28
Exploited in the wild
EPSS
28.55%
97.9th percentile
Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geovision | gv-dsp_lpr_v3 | — | — |
| geovision | gv-vs11 | — | — |
| geovision | gv-vs12 | — | — |
| geovision | gvlx_4_v2 | — | — |
| geovision | gvlx_4_v3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/DateSetting.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/DateSetting.cgi"; fast_pattern; http.request_body; content:"szSrvIpAddr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-6047; reference:cve,2024-11120; reference:url,www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; classtype:attempted-admin; sid:2062140; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at 2025_05_06, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST requests to /DateSetting.cgi with the szSrvIpAddr parameter containing OS command injection characters (;, newline, backtick, pipe, $) — monitor for these patterns in POST body to this endpoint.
- →Exploitation is unauthenticated — no session/auth token required; any POST to /DateSetting.cgi from an external IP should be treated as suspicious. ↗
- →Post-compromise payload is a Mirai botnet variant; look for outbound C2 beaconing, DDoS traffic, or cryptomining activity from affected GeoVision devices after exploitation. ↗
- →Approximately 17,000 GeoVision devices are exposed online; prioritize scanning your perimeter for internet-facing GV-VS12, GV-VS11, GV-DSP LPR V3, GV-LX4C V2, and GV-LX4C V3 devices. ↗
- →Behavioral indicators of compromise on affected devices include excessive heat, slowness/unresponsiveness, and arbitrary configuration changes. ↗
- ·All affected device models (GV-VS12, GV-VS11, GV-DSP LPR V3, GV-LX4C V2/V3) are end-of-life; no vendor patches will be issued. Detection rules should remain permanently active for these devices. ↗
- ·The Snort/Suricata rule (sid:2062140) is deployed for plaintext (non-TLS) traffic only; encrypted traffic to these devices will not be detected by this signature.
- ·CISA KEV remediation due date is 2025-05-28; federal agencies must apply mitigations or discontinue use by that date. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hq2j-jpv4-q865: Certain EOL GeoVision devices have an OS Command Injection vulnerability
ghsa_unreviewed·2024-11-15
CVE-2024-11120 [CRITICAL] CWE-78 GHSA-hq2j-jpv4-q865: Certain EOL GeoVision devices have an OS Command Injection vulnerability
Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.
VulnCheck
GeoVision Devices OS Command Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-11120 [CRITICAL] CWE-78 GeoVision Devices OS Command Injection Vulnerability
GeoVision Devices OS Command Injection Vulnerability
Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: GeoVision Multiple Devices
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.bleepingcomputer.com/news/security/botnet-exploits-geovision-zero-day-to-install-mirai-malware/; https://www.cve.org/CVERecord?id=CVE-2024-11120; https://www.twcert.org.tw/en/cp-139-8237-26d7a-
CISA
GeoVision Devices OS Command Injection Vulnerability
cisa·2025-05-07·CVSS 9.8
CVE-2024-11120 [CRITICAL] CWE-78 GeoVision Devices OS Command Injection Vulnerability
Vulnerability: GeoVision Devices OS Command Injection Vulnerability
Affected: GeoVision Multiple Devices
Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://dlcdn.geovision.com.tw/TechNotice/CyberSecurity/Security_Advisory_IP_Device_2024-11.pdf ; https://nvd.nist.gov/vuln/detail/CVE-2024-11120
Remediation Due Date: 2025-05-28
Suricata
ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
suricata·2025-05-06
CVE-2024-6047 ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/DateSetting.cgi"; fast_pattern; http.request_body; content:"szSrvIpAddr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-6047; reference:cve,2024-11120; reference:url,www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; classtype:attempted-admin; sid:2062140; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at
No public exploits indexed.
Bleepingcomputer
Botnet exploits GeoVision zero-day to install Mirai malware
blogs_bleepingcomputer·2024-11-15·CVSS 9.8
CVE-2024-11120 [CRITICAL] Botnet exploits GeoVision zero-day to install Mirai malware
## Botnet exploits GeoVision zero-day to install Mirai malware
## Bill Toulas
A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks.
The flaw is tracked as CVE-2024-11120 and was discovered by Piort Kijewski of The Shadowserver Foundation. It is a critical severity (CVSS v3.1 score: 9.8) OS command injection problem, allowing unauthenticated attackers to execute arbitrary system commands on the device.
"Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT .
"Moreover, this vulnerability has already been exploited by attackers, and we have received related reports."
According to TWCERT,
Greynoiseio
NoiseLetter May 2025
blogs_greynoiseio
NoiseLetter May 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
arxiv_fulltext·2026-03
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
Akhil Gupta Chigullapally^1, Sharvan Vittala^1, Razin Farhan Hussian^2, Mohsen Amini Salehi^3
^1Department of Computer Science and Engineering, University of North Texas (UNT)
\akhilguptachigullapally, [email protected]\@my.unt.edu
^2Versaterm Public Safety Inc., Canada
[email protected]
^3High Performance Cloud Computing (HPCC) Lab, Department of Computer Science and Engineering, University of North Texas (UNT)
[email protected]
## Abstract
The fast pace of modern AI is rapidly transforming traditional industrial systems into vast,
intelligent—and potentially unmanned—autonomous operational environments driven by AI-based solutions. These solutions leverage various forms of machine lea
2024-11-15
Published
2025-05-07
Added to CISA KEV
Exploited in the wild