GeoVision Command Injection RCE via /PictureCatch.cgi

Advisories

severity: critical
date: October 20, 2025
Affecting: GV-BX1500 firmware versions released prior to Nov/Dec 2017
GV-MFD1501 firmware versions released prior to Nov/Dec 2017
Other GeoVision embedded IP devices' firmware released prior to Nov/Dec 2017
CVE: CVE-2018-25118
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: GitHub PoC
ExploitDB-43982
GeoVision Release Notes
Credit: bashis
Description: GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.