CVE-2024-6047
published 2024-06-17CVE-2024-6047: Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-05-28
Exploited in the wild
EPSS
9.99%
95.0th percentile
Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geovision | gv-vs14_vs14 | — | — |
| geovision | gv_dsp_lpr_v2 | — | — |
| geovision | gv_gm8186_vs14 | — | — |
| geovision | gv_ipcamd_gv_bx130 | — | — |
| geovision | gv_ipcamd_gv_bx1500 | — | — |
| geovision | gv_ipcamd_gv_cb220 | — | — |
| geovision | gv_ipcamd_gv_ebl1100 | — | — |
| geovision | gv_ipcamd_gv_efd1100 | — | — |
| geovision | gv_ipcamd_gv_fd2410 | — | — |
| geovision | gv_ipcamd_gv_fd3400 | — | — |
| geovision | gv_ipcamd_gv_fe3401 | — | — |
| geovision | gv_ipcamd_gv_fe420 | — | — |
| geovision | gv_vs03 | — | — |
| geovision | gv_vs04a | — | — |
| geovision | gv_vs04h | — | — |
| geovision | gv_vs216xx | — | — |
| geovision | gv_vs2410 | — | — |
| geovision | gv_vs28xx | — | — |
| geovision | gvlx_4_v2 | — | — |
| geovision | gvlx_4_v3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/DateSetting.cgi"; fast_pattern; http.request_body; content:"szSrvIpAddr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-6047; reference:cve,2024-11120; reference:url,www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; classtype:attempted-admin; sid:2062140; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at 2025_05_06, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the `szSrvIpAddr` POST parameter in `/DateSetting.cgi` via HTTP POST. Look for shell metacharacters (`;`, `%3B`, `\n`, `%0A`, backtick, `%60`, `|`, `%7C`, `$`, `%24`) injected into that parameter value.
- →Exploitation is unauthenticated — no session/auth token is required. Alert on POST requests to `/DateSetting.cgi` from external/untrusted sources regardless of authentication state. ↗
- →Active exploitation is linked to a Mirai-based IoT botnet campaign. Correlate detections with known Mirai C2 infrastructure and post-exploitation botnet behaviors.
- →Traffic is expected in plaintext (non-TLS). Focus network monitoring on unencrypted HTTP to GeoVision device IPs on standard web ports.
- →CVE-2024-11120 is co-referenced in the same Snort rule, suggesting the same exploitation infrastructure/campaign targets both vulnerabilities on GeoVision devices simultaneously.
- ·Affected devices are end-of-life (EoL) / end-of-service (EoS) — no vendor patch is available. Detection and network isolation are the only mitigations. ↗
- ·CISA BOD 22-01 remediation deadline is 2025-05-28; federal agencies must act by that date. Ensure GeoVision devices are inventoried and either isolated or removed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w8wf-rhcx-wvhg: Certain EOL GeoVision devices fail to properly filter user input for the specific functionality
ghsa_unreviewed·2024-06-17
CVE-2024-6047 [CRITICAL] CWE-78 GHSA-w8wf-rhcx-wvhg: Certain EOL GeoVision devices fail to properly filter user input for the specific functionality
Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.
VulnCheck
GeoVision Devices OS Command Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-6047 [CRITICAL] CWE-78 GeoVision Devices OS Command Injection Vulnerability
GeoVision Devices OS Command Injection Vulnerability
Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: GeoVision Multiple Devices
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://github.com/unknownhad/CloudIntel/blob/e684f4a0b7c7a35242a68067e42757d5dd87bcfc/2024/09/03-09-2024#L34; https://www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot
CISA
GeoVision Devices OS Command Injection Vulnerability
cisa·2025-05-07·CVSS 9.8
CVE-2024-6047 [CRITICAL] CWE-78 GeoVision Devices OS Command Injection Vulnerability
Vulnerability: GeoVision Devices OS Command Injection Vulnerability
Affected: GeoVision Multiple Devices
Multiple GeoVision devices contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://dlcdn.geovision.com.tw/TechNotice/CyberSecurity/Security_Advisory_IP_Device_2024-11.pdf ; https://nvd.nist.gov/vuln/detail/CVE-2024-6047
Remediation Due Date: 2025-05-28
Suricata
ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
suricata·2025-05-06
CVE-2024-6047 ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision DateSetting.cgi szSrvIpAddr Parameter Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/DateSetting.cgi"; fast_pattern; http.request_body; content:"szSrvIpAddr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-6047; reference:cve,2024-11120; reference:url,www.akamai.com/blog/security-research/2025/may/active-exploitation-mirai-geovision-iot-botnet; classtype:attempted-admin; sid:2062140; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at
No public exploits indexed.
Greynoiseio
NoiseLetter May 2025
blogs_greynoiseio
NoiseLetter May 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
arxiv_fulltext·2026-03
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
Downsides of Smartness Across Edge-Cloud Continuum in Modern Industry
Akhil Gupta Chigullapally^1, Sharvan Vittala^1, Razin Farhan Hussian^2, Mohsen Amini Salehi^3
^1Department of Computer Science and Engineering, University of North Texas (UNT)
\akhilguptachigullapally, [email protected]\@my.unt.edu
^2Versaterm Public Safety Inc., Canada
[email protected]
^3High Performance Cloud Computing (HPCC) Lab, Department of Computer Science and Engineering, University of North Texas (UNT)
[email protected]
## Abstract
The fast pace of modern AI is rapidly transforming traditional industrial systems into vast,
intelligent—and potentially unmanned—autonomous operational environments driven by AI-based solutions. These solutions leverage various forms of machine lea
https://www.twcert.org.tw/en/cp-139-7884-c5a8b-2.htmlhttps://www.twcert.org.tw/tw/cp-132-7883-f5635-1.htmlhttps://www.twcert.org.tw/en/cp-139-7884-c5a8b-2.htmlhttps://www.twcert.org.tw/tw/cp-132-7883-f5635-1.htmlhttps://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnethttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-6047
2024-06-17
Published
2025-05-07
Added to CISA KEV
Exploited in the wild