CVE-2024-11120

What is GeoVision?

GeoVision is a Taiwanese manufacturer of IP cameras, network video recorders (NVRs), and access control systems widely deployed in physical security installations globally. GeoVision devices are used for surveillance in commercial buildings, retail stores, banks, government facilities, and critical infrastructure. Many GeoVision devices that reached end-of-life (EoL) and end-of-service (EoS) status are still internet-facing — owners either do not know the devices have reached EoL or cannot replace them immediately. EoL IoT devices represent a persistent security challenge: they have known, unpatched vulnerabilities and are typically internet-accessible, making them attractive targets for botnet operators.

Overview

CVE-2024-11120 is an OS command injection vulnerability (CWE-78) in multiple GeoVision IP camera and NVR device models that have reached end-of-life. An unauthenticated remote attacker can send a specially crafted HTTP request to the device's web interface that injects operating system commands, achieving code execution on the embedded Linux system. There is no patch available — the affected devices are EoL/EoS. GeoVision explicitly states that users should discontinue use of the affected products. CISA added it to the KEV catalog in May 2025 after confirming that the vulnerability was being exploited by Mirai-based botnets to recruit the cameras into DDoS attack infrastructure.

Affected Versions

Refer to the GeoVision security advisory for the complete list of affected models.

Technical Details

The OS command injection (CWE-78) is in the web management interface of the affected GeoVision devices — specifically in CGI scripts or web server endpoints that process HTTP request parameters. These parameters are incorporated into shell commands without adequate sanitization, allowing an attacker to append additional shell commands via metacharacters (;, |, &&, etc.).

Unauthenticated access: The vulnerable endpoints are accessible without authentication, making the attack executable by any internet-connected host.

Embedded Linux execution: GeoVision cameras run embedded Linux on MIPS or ARM processors. Command injection provides a shell session on the device with root privileges (typical for embedded camera firmware).

Mirai botnet exploitation: Mirai and its variants (Mirai-based botnets like Moobot, Zerobot) continuously scan for exploitable IoT devices. Upon finding a vulnerable GeoVision camera, the botnet:

1. Exploits the command injection to gain a shell
2. Downloads and executes the Mirai binary (compiled for MIPS/ARM)
3. The device joins the botnet and participates in DDoS attacks on demand

Persistence challenges: Mirai malware typically does not persist across reboots in read-only filesystem IoT devices — but the devices remain vulnerable to re-exploitation after rebooting, so the botnet continuously re-infects them.

Discovery

The vulnerability was discovered by security researchers and reported to GeoVision, who published a security advisory in November 2024. Given the EoL status, GeoVision could only advise discontinuing use rather than releasing a patch.

Exploitation Context

CISA confirmed active exploitation and added CVE-2024-11120 to the KEV catalog on May 7, 2025. The exploitation is consistent with Mirai-based botnet operators who systematically target EoL IP cameras for DDoS-for-hire infrastructure. GeoVision devices with this vulnerability remained internet-exposed months after the EoL advisory because physical security equipment is rarely replaced quickly — camera replacements require physical installation work, budget approval, and system integration.

Remediation

1. Discontinue use of affected GeoVision EoL devices — there is no patch. The CISA deadline was May 28, 2025.
2. Replace EoL GeoVision devices with current-generation, supported hardware as the primary remediation.
3. As an interim measure, remove internet exposure — if devices cannot be immediately replaced, place them behind a firewall or NAT that blocks all inbound internet connections to the camera web interface.
4. Disable remote management via the internet — configure cameras to communicate only with a local NVR or VMS server, not directly to the internet.
5. Check for Mirai infection indicators: unusual outbound traffic spikes (DDoS participation), unexpected connections to external IPs, device performance degradation.
6. Implement network segmentation for all IoT/camera devices — place them on an isolated VLAN with no internet access and limited internal network access.