CVE-2025-26264
published 2025-02-27CVE-2025-26264: GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings…
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
18.03%
96.8th percentile
GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary commands on the server, leading to a full system compromise.
Detection & IOCsextracted from sources · hover to see the quote
snort
ET WEB_SPECIFIC_APPS GeoVision GV-ASWeb <=v6.1.2.0 RCE (CVE-2025-26264); flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ASWeb/bin/ASWebCommon.srf"; fast_pattern; http.cookie; content:"GvWebUser|3d|"; content:"GvServerVersion="; pcre:"/^6\.(?=[0-1]\.[0-9])|^[0-5]\.(?=[0-9]\.[0-9])/R"; http.request_body; content:"action=NT_SetNotificationSetting"; content:"powershell"; nocase; distance:0; sid:2066511; rev:1;
- →Inspect session cookies for 'GvWebUser' and 'GvServerVersion' to identify GeoVision ASWeb sessions; version values matching /^6\.[0-1]\.[0-9]/ or /^[0-5]\.[0-9]\.[0-9]/ indicate a vulnerable instance. ↗
- →The exploit requires an authenticated account with 'System Settings' / Notification Settings management privileges — monitor for privilege escalation or credential compromise targeting these roles. ↗
- ·The Snort/Suricata rule PCRE targets version strings in the GvServerVersion cookie; ensure the regex engine correctly handles the lookahead /^6\.(?=[0-1]\.[0-9])|^[0-5]\.(?=[0-9]\.[0-9])/ — test against your IDS version before deployment. ↗
- ·The Snort rule metadata marks this as plaintext (tls_state plaintext) only — if ASWeb is deployed behind TLS termination, SSL inspection must be enabled for the rule to fire. ↗
- ·The 'powershell' keyword match is case-insensitive and distance:0 relative to 'action=NT_SetNotificationSetting' — an attacker obfuscating the powershell invocation (e.g., encoding, aliasing) may evade this signature. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GeoVision GV-ASWeb <=v6.1.2.0 RCE (CVE-2025-26264)
suricata·2025-12-30·CVSS 8.8
CVE-2025-26264 [HIGH] ET WEB_SPECIFIC_APPS GeoVision GV-ASWeb <=v6.1.2.0 RCE (CVE-2025-26264)
ET WEB_SPECIFIC_APPS GeoVision GV-ASWeb $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS GeoVision GV-ASWeb <=v6.1.2.0 RCE (CVE-2025-26264)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ASWeb/bin/ASWebCommon.srf"; fast_pattern; http.cookie; content:"GvWebUser|3d|"; content:"GvServerVersion="; pcre:"/^6\.(?=[0-1]\.[0-9])|^[0-5]\.(?=[0-9]\.[0-9])/R"; http.request_body; content:"action=NT_SetNotificationSetting"; content:"powershell"; nocase; distance:0; reference:cve,2025-26264; reference:url,github.com/DRAGOWN/CVE-2025-26264; classtype:web-application-attack; sid:2066511; rev:1; metadata:affected_product GeoVision, attack_target IoT, tls_state plaintext, created_at 2025_12_30, cve CVE_2025_26264, deployment Perimeter, deployment Internal, performance_impact Low,
No writeups or analysis indexed.
2025-02-27
Published