CVE 9.3 CRITICAL

GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability_CVE-2026-42363

April 26, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

Description

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.

When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.

AI Analysis

Insufficient encryption vulnerability in Device Authentication functionality of GeoVision GV-IP Device Utility, allowing an attacker to listen to broadcast packets and decrypt credentials.

Basic Information

ID CVE-2026-42363

Source GV

Published Apr 26, 2026 at 23:58

Affected Product

Vendor GeoVision Inc.

Product GV-IP Device Utility

Version 9.0.5.0

Affected Versions GeoVision Inc. GV-IP Device Utility 9.0.5.0

CWE Classification

CWE-656

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor GeoVision Inc.

Product GV-IP Device Utility

Version 9.0.5.0

References

{
    "lastseen": "",
    "description": "An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.\n\n\nWhen interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the \"obscurity\" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.",
    "published": "2026-04-26T23:58:49.334Z",
    "modified": "2026-04-26T23:58:49.334Z",
    "type": "cve",
    "title": "GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability",
    "source": "GV",
    "references": "https://www.geovision.com.tw/cyber_security.php\nhttps://talosintelligence.com/vulnerability_reports/",
    "id": "CVE-2026-42363",
    "bulletinFamily": "",
    "cwe": [
        "CWE-656"
    ],
    "cvelist": null,
    "sourceData": "GeoVision Inc. GV-IP Device Utility 9.0.5.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GV-IP Device Utility",
    "version": "9.0.5.0",
    "vendor": "GeoVision Inc.",
    "ai_description": "Insufficient encryption vulnerability in Device Authentication functionality of GeoVision GV-IP Device Utility, allowing an attacker to listen to broadcast packets and decrypt credentials.",
    "ai_severity": "Critical",
    "ai_vendor": "GeoVision Inc.",
    "ai_product": "GV-IP Device Utility",
    "ai_version": "9.0.5.0",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply