Cyber Resilience

CVE-2026-42365

HighUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
15 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0033 24.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42365 is a high-severity Predictable from Observable State (CWE-341) vulnerability in Geovision Gv-Lpc2011 Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-7 (Unsuccessful Logon Attempts).

Deeper analysis

CVE-2026-42365 is a guessable session cookie vulnerability in the Web Interface functionality of GeoVision LPC2011/LPC2211 version 1.10, published on 2026-05-04T01:16:03.620. The issue allows a specially crafted series of HTTP requests to lead to an authentication bypass, where an attacker can bruteforce session cookies to trigger the vulnerability. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-341.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity, lack of required privileges or user interaction, and network vector. Successful exploitation enables bruteforcing of session cookies to bypass authentication, resulting in high confidentiality impact across a scoped security boundary.

Advisories with potential mitigation details are available from Talos Intelligence at https://talosintelligence.com/vulnerability_reports/ and GeoVision at https://www.geovision.com.tw/cyber_security.php.

EU & UK References

Vulnerability details

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Vulnerability in public web interface directly enables remote exploitation (T1190) via crafted HTTP requests; guessable session cookies facilitate brute-force guessing to achieve authentication bypass (T1110).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42364Same product: Geovision Gv-Lpc2011
CVE-2026-42366Same product: Geovision Gv-Lpc2011
CVE-2026-7371Same product: Geovision Gv-Lpc2011
CVE-2026-42368Same product: Geovision Gv-Lpc2011
CVE-2026-7372Same vendor: Geovision
CVE-2026-42370Same vendor: Geovision
CVE-2026-7161Same vendor: Geovision
CVE-2026-36609Shared CWE-341

Affected Assets

geovision
gv-lpc2011 firmware
1.10
geovision
gv-lpc2211 firmware
1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires management of authenticators including session cookies with sufficient entropy, randomness, and protection to prevent them from being guessable via brute-force.

prevent

Limits consecutive unsuccessful authentication attempts, mitigating brute-force attacks on session cookies even if partially guessable.

prevent

Provides mechanisms to ensure the authenticity of web communications sessions, reducing the risk of exploitation through guessed or unauthorized session cookies.

References