Cyber Resilience

CVE-2025-26264

HighRCE

Published: 27 February 2025

Published
27 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2954 96.7th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26264 is a high-severity Code Injection (CWE-94) vulnerability in Com (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

GeoVision GV-ASWeb versions 6.1.2.0 and earlier contain a remote code execution vulnerability in the Notification Settings feature, tracked as CVE-2025-26264 and fixed in version 6.2.0. The flaw is a code injection issue (CWE-94) that allows arbitrary command execution on the underlying server when triggered through the web interface.

An attacker who has already obtained authenticated access with System Settings privileges can exploit the vulnerability over the network to run commands, resulting in full system compromise. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

Public references point to a vendor download page for updated GeoVision access-control software and a GitHub repository containing exploit details. The current and peak EPSS score of 0.2954 indicates moderate exploitation probability without a rising trajectory after disclosure.

EU & UK References

Vulnerability details

GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary commands…

more

on the server, leading to a full system compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via command injection in internet-facing web app (Notification Settings) matches T1190 exactly; authenticated network exploitation leads to full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the RCE flaw in GV-ASWeb Notification Settings by applying the patch to version 6.2.0.

prevent

Prevents command injection (CWE-94) in the Notification Settings feature through rigorous input validation and error handling.

prevent

Minimizes the attack surface by restricting 'System Settings' privileges to only essential personnel, reducing potential exploiters.

References