CVE-2025-26264
Published: 27 February 2025
Summary
CVE-2025-26264 is a high-severity Code Injection (CWE-94) vulnerability in Com (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
GeoVision GV-ASWeb versions 6.1.2.0 and earlier contain a remote code execution vulnerability in the Notification Settings feature, tracked as CVE-2025-26264 and fixed in version 6.2.0. The flaw is a code injection issue (CWE-94) that allows arbitrary command execution on the underlying server when triggered through the web interface.
An attacker who has already obtained authenticated access with System Settings privileges can exploit the vulnerability over the network to run commands, resulting in full system compromise. The CVSS 3.1 score of 8.8 reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
Public references point to a vendor download page for updated GeoVision access-control software and a GitHub repository containing exploit details. The current and peak EPSS score of 0.2954 indicates moderate exploitation probability without a rising trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5495
Vulnerability details
GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary commands…
more
on the server, leading to a full system compromise.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via command injection in internet-facing web app (Notification Settings) matches T1190 exactly; authenticated network exploitation leads to full system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the RCE flaw in GV-ASWeb Notification Settings by applying the patch to version 6.2.0.
Prevents command injection (CWE-94) in the Notification Settings feature through rigorous input validation and error handling.
Minimizes the attack surface by restricting 'System Settings' privileges to only essential personnel, reducing potential exploiters.