CVE-2026-42363
Published: 27 April 2026
Summary
CVE-2026-42363 is a critical-severity Reliance on Security Through Obscurity (CWE-656) vulnerability in Com (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires confidentiality and integrity protections for transmissions, directly preventing eavesdropping on broadcast UDP packets containing weakly encrypted credentials.
Mandates cryptographic mechanisms to protect confidentiality of sensitive authentication data, addressing the insufficient Blowfish-derived encryption relying on obscurity.
Enforces proper cryptographic key management, preventing transmission of symmetric keys alongside encrypted credentials in the same packet.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's flawed encryption (key sent in the same UDP broadcast packet) directly enables passive network sniffing on the LAN to capture and decrypt credentials, as explicitly described in the CVE.
NVD Description
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various…
more
Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.
Deeper analysisAI
CVE-2026-42363 is an insufficient encryption vulnerability in the Device Authentication functionality of GeoVision GV-IP Device Utility version 9.0.5. The issue arises because the utility broadcasts privileged commands over UDP, including the username and password encrypted with a Blowfish-derived cryptographic protocol. However, the symmetric key used for encryption is also transmitted in the same packet, rendering the protection reliant solely on the obscurity of the scheme and allowing decryption by anyone capturing the traffic.
An attacker on the same local area network (LAN) can exploit this by passively listening to broadcast packets sent when an administrator uses the utility to interact with Geovision devices. This requires no privileges from the attacker but depends on user interaction from an admin triggering the broadcast. Successful capture and decryption of the credentials grants full control over the affected device, enabling actions such as changing its IP address or resetting it to factory defaults. The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H) and is associated with CWE-656 (Reliance on Security Through Obscurity).
Mitigation guidance and further details are available in advisories from Talos Intelligence at https://talosintelligence.com/vulnerability_reports/ and GeoVision at https://www.geovision.com.tw/cyber_security.php.
Details
- CWE(s)