Cyber Resilience

CVE-2026-7161

CriticalUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
15 June 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
EPSS Score 0.0021 11.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-7161 is a critical-severity Reliance on Security Through Obscurity (CWE-656) vulnerability in Geovision Gv-Ip Device Utility. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2026-7161 is an insufficient encryption vulnerability (CWE-656) in the Device Authentication functionality of GeoVision GV-IP Device Utility version 9.0.5. The affected component broadcasts privileged commands over UDP to Geovision devices on the network, including the username and password encrypted with a Blowfish-derived cryptographic protocol. However, the symmetric key used for encryption is also included in the packet, rendering the protection reliant on the obscurity of the encryption scheme.

An attacker on the same LAN can exploit this by passively listening to broadcast traffic when an administrator uses the utility to interact with a device. The attacker can then decrypt the credentials using their own implementation of the algorithm, as the key is exposed. Successful exploitation grants full control over the device configuration, such as changing its IP address or resetting it to factory defaults. The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H), indicating high severity with required user interaction.

Mitigation guidance is available in related advisories, including the Talos Intelligence vulnerability report at https://talosintelligence.com/vulnerability_reports/ and GeoVision's cybersecurity page at https://www.geovision.com.tw/cyber_security.php.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various…

more

Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
Why these techniques?

Vulnerability exposes credentials in LAN broadcast UDP traffic via weak encryption with included key, directly enabling passive capture of authentication material via network sniffing.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42363Shared CWE-656
CVE-2026-42364Same vendor: Geovision
CVE-2026-7372Same vendor: Geovision
CVE-2026-42365Same vendor: Geovision
CVE-2026-42370Same vendor: Geovision
CVE-2026-42366Same vendor: Geovision
CVE-2026-7371Same vendor: Geovision
CVE-2026-42368Same vendor: Geovision
CVE-2024-9138Shared CWE-656

Affected Assets

geovision
gv-ip device utility
9.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires protection of confidentiality and integrity for transmitted information, directly preventing eavesdropping on broadcast packets containing credentials.

prevent

Mandates implementation of approved cryptographic protections, addressing the use of weak Blowfish-derived encryption that exposes credentials.

prevent

Enforces proper cryptographic key management, preventing inclusion of the symmetric key in the same packet as encrypted credentials.

References