CVE-2018-25118 | THREATINT

Description

GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the vendor. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.

PUBLISHED Reserved 2025-10-20 | Published 2025-10-20 | Updated 2025-10-23 | Assigner VulnCheck

CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

Any version before November/December 2017 firmware

affected

Default status

unaffected

Any version before November/December 2017 firmware

affected

Default status

unaffected

Any version before November/December 2017 firmware

affected

Credits

bashis finder

References

www.exploit-db.com/exploits/43982 exploit

github.com/...e240dc88ff31eb30e1ef345509dce/Geovision-PoC.py exploit

www.vulncheck.com/...command-injection-rce-picture-catch-cgi third-party-advisory

www.geovision.com.tw/blog/?cat=14 release-notes patch

www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a third-party-advisory government-resource exploit

cve.org (CVE-2018-25118)

nvd.nist.gov (CVE-2018-25118)

Download JSON

help @ threatint.eu