Cyber Resilience

CVE-2026-42364

CriticalRCEUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
15 June 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0161 72.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42364 is a critical-severity OS Command Injection (CWE-78) vulnerability in Geovision Gv-Lpc2011 Firmware. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42364 is an OS command injection vulnerability in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 version 1.10. The flaw allows a specially crafted DDNS configuration to trigger arbitrary command execution on the affected device.

The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility with low complexity and low privilege requirements, no user interaction needed, and high scope with critical impacts on confidentiality, integrity, and availability. An attacker with low privileges, such as an authenticated user, can modify a configuration value via the DdnsSetting.cgi interface to inject and execute arbitrary OS commands, potentially leading to full system compromise.

Mitigation details are available in advisories from Talos Intelligence (https://talosintelligence.com/vulnerability_reports/) and GeoVision (https://www.geovision.com.tw/cyber_security.php), which published on 2026-05-04. Security practitioners should consult these sources for patches or workarounds specific to LPC2011/LPC2211 devices.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing CGI (DdnsSetting.cgi) directly enables T1190 for initial access and results in arbitrary OS command execution via Unix shell (T1059.004) on the embedded Linux device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42365Same product: Geovision Gv-Lpc2011
CVE-2026-42366Same product: Geovision Gv-Lpc2011
CVE-2026-7371Same product: Geovision Gv-Lpc2011
CVE-2026-42368Same product: Geovision Gv-Lpc2011
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78

Affected Assets

geovision
gv-lpc2011 firmware
1.10
geovision
gv-lpc2211 firmware
1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation of DDNS configuration inputs to DdnsSetting.cgi against expected formats and values.

prevent

Mandates timely identification, reporting, and patching of the specific command injection flaw in DdnsSetting.cgi as detailed in vendor advisories.

prevent

Restricts and authorizes access to configuration change mechanisms like DdnsSetting.cgi, limiting low-privilege users from submitting malicious DDNS configurations.

References