GeoVision 0-Day Vulnerability Exploited in the Wild

### #Cybersecurity #ZeroDay #GeoVision

Summary: Researchers have identified the exploitation of a critical zero-day vulnerability (CVE-2024-11120) in unsupported GeoVision devices, allowing attackers to execute commands without authentication. This vulnerability poses significant risks as it is actively targeted by a sophisticated botnet.

Threat Actor: Botnet | botnet
Victim: GeoVision Devices | GeoVision Devices

Key Point :

  • The vulnerability has a high-severity CVSS score of 9.8, indicating critical risk.
  • Attackers can remotely compromise devices, gaining full control without authentication.
  • Organizations are advised to disconnect affected devices from the internet and consider hardware upgrades.
  • Shadowserver Foundation and TWCERT confirmed the vulnerability’s existence and its exploitation in the wild.
  • Limited patching options exist due to the End-of-Life status of many affected devices.

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices, which the manufacturer no longer supports.

The vulnerability, now designated as CVE-2024-11120, has been assigned a high-severity CVSS score of 9.8 and used by a sophisticated botnet.

The security flaw is a pre-authentication command injection vulnerability, which allows attackers to execute arbitrary commands on vulnerable GeoVision devices without requiring authentication.

– Advertisement –
SIEM as a ServiceSIEM as a Service

This poses a significant risk, enabling malicious actors to compromise devices remotely, and giving them full control over the affected systems.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar

The vulnerability was first reported by Shadowserver Foundation, a respected non-profit organization focused on improving internet security.

In a statement shared on X, Shadowserver confirmed, “We observed a 0-day exploit in the wild used by a botnet targeting GeoVision EOL devices. The pre-auth command injection vulnerability was verified in collaboration with TWCERT & GeoVision & assigned CVE-2024-11120.”

GeoVision, a company known for its video surveillance systems, has since confirmed the existence of the vulnerability in its End-of-Life (EOL) devices, which are no longer receiving security updates.

The collaboration with Shadowserver and Taiwan’s Computer Emergency Response Team (TWCERT) helped verify the issue, but due to the EOL status of many affected devices, patching options remain limited.

Security experts are urging organizations and individuals still using legacy GeoVision devices to take immediate action.

Recommended steps include disconnecting the devices from the internet if updates cannot be applied, segmenting the network, and replacing outdated hardware with more secure alternatives.

The botnet responsible for exploiting CVE-2024-11120 is actively targeting vulnerable devices to expand its network, posing a threat to both individuals and organizations globally.

Additional information on mitigations and workarounds is expected to be shared by relevant authorities in the coming days.

Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox

Source: https://gbhackers.com/geovision-0-day-vulnerability