Cyber Resilience

CVE-2026-4860

Medium

Published: 26 March 2026

Published
26 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 17.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4860 is a medium-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4860 is a deserialization vulnerability in the wvp-GB28181-pro software up to version 2.7.4. The flaw resides in the GenericFastJsonRedisSerializer function within the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java, part of the API Endpoint component. It stems from improper input validation (CWE-20) and deserialization of untrusted data (CWE-502), earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation enables partial compromise of confidentiality, integrity, and availability through arbitrary deserialization, potentially leading to code execution or other impacts depending on the payload.

Advisories from VulDB and a GitHub issue in the wing3e/public_exp repository detail the vulnerability but note no vendor response despite early disclosure contact. No patches or official mitigations are available; practitioners should consider upgrading beyond version 2.7.4 if possible, restricting API Endpoint access, or implementing network segmentation and input validation as interim measures.

A public exploit has been released, increasing the risk of real-world attacks against exposed instances of this software.

EU & UK References

Vulnerability details

A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The…

more

exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated deserialization RCE in exposed API endpoint directly enables T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0465Shared CWE-20, CWE-502
CVE-2025-2376Shared CWE-20, CWE-502
CVE-2025-1113Shared CWE-20, CWE-502
CVE-2025-2689Shared CWE-20, CWE-502
CVE-2025-1177Shared CWE-20, CWE-502
CVE-2024-13136Shared CWE-20, CWE-502
CVE-2025-0734Shared CWE-20, CWE-502
CVE-2025-2855Shared CWE-20, CWE-502
CVE-2025-1186Shared CWE-20, CWE-502
CVE-2025-0841Shared CWE-20, CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the deserialization vulnerability by enforcing validation of untrusted inputs to the API endpoint before processing.

prevent

Prevents remote exploitation by implementing boundary protections such as firewalls or network segmentation to restrict access to the vulnerable API endpoint.

prevent

Addresses the flaw by requiring monitoring for patches or upgrades beyond version 2.7.4 to remediate the deserialization issue.

References