cbcvebase.
CVE-2025-26264
published 2025-02-27

CVE-2025-26264: GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings…

PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
18.03%
96.8th percentile
GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary commands on the server, leading to a full system compromise.

Detection & IOCsextracted from sources · hover to see the quote

url/ASWeb/bin/ASWebCommon.srf
cookieGvWebUser|3d|
cookieGvServerVersion=
commandaction=NT_SetNotificationSetting
commandpowershell
snort
ET WEB_SPECIFIC_APPS GeoVision GV-ASWeb <=v6.1.2.0 RCE (CVE-2025-26264); flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ASWeb/bin/ASWebCommon.srf"; fast_pattern; http.cookie; content:"GvWebUser|3d|"; content:"GvServerVersion="; pcre:"/^6\.(?=[0-1]\.[0-9])|^[0-5]\.(?=[0-9]\.[0-9])/R"; http.request_body; content:"action=NT_SetNotificationSetting"; content:"powershell"; nocase; distance:0; sid:2066511; rev:1;
  • Inspect session cookies for 'GvWebUser' and 'GvServerVersion' to identify GeoVision ASWeb sessions; version values matching /^6\.[0-1]\.[0-9]/ or /^[0-5]\.[0-9]\.[0-9]/ indicate a vulnerable instance.
  • The exploit requires an authenticated account with 'System Settings' / Notification Settings management privileges — monitor for privilege escalation or credential compromise targeting these roles.
  • ·The Snort/Suricata rule PCRE targets version strings in the GvServerVersion cookie; ensure the regex engine correctly handles the lookahead /^6\.(?=[0-1]\.[0-9])|^[0-5]\.(?=[0-9]\.[0-9])/ — test against your IDS version before deployment.
  • ·The Snort rule metadata marks this as plaintext (tls_state plaintext) only — if ASWeb is deployed behind TLS termination, SSL inspection must be enabled for the rule to fire.
  • ·The 'powershell' keyword match is case-insensitive and distance:0 relative to 'action=NT_SetNotificationSetting' — an attacker obfuscating the powershell invocation (e.g., encoding, aliasing) may evade this signature.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.