cbcvebase.
CVE-2024-6047
published 2024-06-17

CVE-2024-6047: Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-28
Exploited in the wild
EPSS
9.99%
95.0th percentile
Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.

Affected

20 ranges
VendorProductVersion rangeFixed in
geovisiongv-vs14_vs14
geovisiongv_dsp_lpr_v2
geovisiongv_gm8186_vs14
geovisiongv_ipcamd_gv_bx130
geovisiongv_ipcamd_gv_bx1500
geovisiongv_ipcamd_gv_cb220
geovisiongv_ipcamd_gv_ebl1100
geovisiongv_ipcamd_gv_efd1100
geovisiongv_ipcamd_gv_fd2410
geovisiongv_ipcamd_gv_fd3400
geovisiongv_ipcamd_gv_fe3401
geovisiongv_ipcamd_gv_fe420
geovisiongv_vs03
geovisiongv_vs04a
geovisiongv_vs04h
geovisiongv_vs216xx
geovisiongv_vs2410
geovisiongv_vs28xx
geovisiongvlx_4_v2
geovisiongvlx_4_v3

Detection & IOCsextracted from sources · hover to see the quote

path/DateSetting.cgi
urlhttps://www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/DateSetting.cgi"; fast_pattern; http.request_body; content:"szSrvIpAddr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-6047; reference:cve,2024-11120; reference:url,www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; classtype:attempted-admin; sid:2062140; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at 2025_05_06, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the `szSrvIpAddr` POST parameter in `/DateSetting.cgi` via HTTP POST. Look for shell metacharacters (`;`, `%3B`, `\n`, `%0A`, backtick, `%60`, `|`, `%7C`, `$`, `%24`) injected into that parameter value.
  • Exploitation is unauthenticated — no session/auth token is required. Alert on POST requests to `/DateSetting.cgi` from external/untrusted sources regardless of authentication state.
  • Active exploitation is linked to a Mirai-based IoT botnet campaign. Correlate detections with known Mirai C2 infrastructure and post-exploitation botnet behaviors.
  • Traffic is expected in plaintext (non-TLS). Focus network monitoring on unencrypted HTTP to GeoVision device IPs on standard web ports.
  • CVE-2024-11120 is co-referenced in the same Snort rule, suggesting the same exploitation infrastructure/campaign targets both vulnerabilities on GeoVision devices simultaneously.
  • ·Affected devices are end-of-life (EoL) / end-of-service (EoS) — no vendor patch is available. Detection and network isolation are the only mitigations.
  • ·CISA BOD 22-01 remediation deadline is 2025-05-28; federal agencies must act by that date. Ensure GeoVision devices are inventoried and either isolated or removed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.