Cyber Resilience

CVE-2024-11120

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 15 November 2024

Published
15 November 2024
Modified
30 October 2025
KEV Added
07 May 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6614 98.5th percentile
Risk Priority 79 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11120 is a critical-severity OS Command Injection (CWE-78) vulnerability in Geovision Gvlx 4 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

Certain EOL GeoVision devices contain an OS command injection vulnerability tracked as CVE-2024-11120 and assigned CWE-78. The flaw permits unauthenticated remote attackers to supply and execute arbitrary system commands, reflected in its CVSS 3.1 score of 9.8 with a network attack vector, no required credentials or user interaction, and full impact on confidentiality, integrity, and availability.

Attackers can reach affected devices directly over the network and obtain complete control by injecting operating-system commands. The vulnerability has already been exploited in the wild, with incident reports confirming active use against these end-of-life products.

TW-CERT advisories and the Akamai security research blog detail the issue and note its incorporation into Mirai-based IoT botnets, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog. The associated EPSS score reached a peak of 0.6614 with no subsequent material change.

EU & UK References

Vulnerability details

Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received…

more

related reports.

CWE(s)
KEV Date Added
07 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

geovision
gv-vs12 firmware
all versions
geovision
gv-vs11 firmware
all versions
geovision
gv-dsp lpr firmware
all versions
geovision
gvlx 4 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to block crafted payloads that produce OS command injection (CWE-78).

prevent

Mandates replacement or isolation of unsupported EOL components whose lack of patches leaves the command-injection flaw permanently exposed.

prevent

Boundary-protection rules can block network-reachable unauthenticated access to the vulnerable device interfaces before injection occurs.

References