Cyber Posture

CVE-2026-42365

High

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0008 22.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42365 is a high-severity Predictable from Observable State (CWE-341) vulnerability in Geovision Gv-Lpc2011 Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-7 (Unsuccessful Logon Attempts).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly requires management of authenticators including session cookies with sufficient entropy, randomness, and protection to prevent them from being guessable via brute-force.

AC-7 Unsuccessful Logon Attempts partial match
prevent

Limits consecutive unsuccessful authentication attempts, mitigating brute-force attacks on session cookies even if partially guessable.

SC-23 Session Authenticity partial match
prevent

Provides mechanisms to ensure the authenticity of web communications sessions, reducing the risk of exploitation through guessed or unauthorized session cookies.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
attack.mitre.org →
Why these techniques?

Vulnerability in public web interface directly enables remote exploitation (T1190) via crafted HTTP requests; guessable session cookies facilitate brute-force guessing to achieve authentication bypass (T1110).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.

Deeper analysisAI

CVE-2026-42365 is a guessable session cookie vulnerability in the Web Interface functionality of GeoVision LPC2011/LPC2211 version 1.10, published on 2026-05-04T01:16:03.620. The issue allows a specially crafted series of HTTP requests to lead to an authentication bypass, where an attacker can bruteforce session cookies to trigger the vulnerability. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-341.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity, lack of required privileges or user interaction, and network vector. Successful exploitation enables bruteforcing of session cookies to bypass authentication, resulting in high confidentiality impact across a scoped security boundary.

Advisories with potential mitigation details are available from Talos Intelligence at https://talosintelligence.com/vulnerability_reports/ and GeoVision at https://www.geovision.com.tw/cyber_security.php.

Details

CWE(s)
CWE-341

Affected Products

geovision
gv-lpc2011 firmware
1.10
geovision
gv-lpc2211 firmware
1.10

CVEs Like This One

CVE-2026-42364Same product: Geovision Gv-Lpc2011
CVE-2026-42366Same product: Geovision Gv-Lpc2011
CVE-2026-7371Same product: Geovision Gv-Lpc2011
CVE-2026-42368Same product: Geovision Gv-Lpc2011
CVE-2026-7372Same vendor: Geovision
CVE-2026-42370Same vendor: Geovision
CVE-2026-7161Same vendor: Geovision

References