Search
On this page ▾
CVE-2024-6047 — GeoVision Devices OS Command Injection Vulnerability

CVE-2024-6047

GeoVision Multiple Devices — Unauthenticated OS Command Injection in End-of-Life IP Cameras and DVRs
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is GeoVision?

GeoVision is a Taiwanese manufacturer of IP cameras, digital video recorders (DVRs), network video recorders (NVRs), and physical access control systems widely deployed in commercial and industrial surveillance installations across Asia, North America, and Europe. Many GeoVision device lines have reached end-of-life and end-of-service status, meaning the manufacturer no longer provides firmware updates or security patches. These legacy devices remain deployed and network-connected in many organizations, often forgotten and unmonitored, creating a persistent vulnerability exposure on the network perimeter or internal segments.

Overview

CVE-2024-6047 is an OS command injection vulnerability affecting multiple GeoVision device models that allows an unauthenticated remote attacker to inject and execute arbitrary OS commands on the device. Because the affected models are predominantly end-of-life with no available firmware patches, GeoVision's and CISA's primary remediation recommendation is to discontinue use and replace affected devices. The delayed CISA KEV addition in May 2025 — approximately eleven months after CVE publication — reflects confirmed exploitation of these legacy devices, consistent with Mirai-based botnet operators that systematically scan for and recruit vulnerable IoT devices.

Affected Versions

Product Status
Multiple GeoVision IP camera models End-of-life; no patch available
Multiple GeoVision DVR/NVR models End-of-life; no patch available

Refer to GeoVision's Security Advisory 2024-11 for the specific list of affected model numbers. Because the devices are end-of-life, no firmware updates are expected.

Technical Details

CWE-78 (OS Command Injection). The affected GeoVision devices expose CGI-based web management interfaces that pass user-supplied input to shell commands without adequate sanitization. An unauthenticated attacker who can reach the device's web management port can inject OS shell metacharacters (;, |, `, $()) into CGI parameters, causing the device's firmware to execute attacker-controlled commands with the privileges of the web server process — typically root on embedded Linux-based device firmware.

Root-level code execution on an IP camera or DVR provides:

  • Full device takeover (configuration change, credential modification)
  • Persistent malware installation (Mirai bot, DDoS slave, crypto miner)
  • Access to the local network segment the device is connected to
  • Live video stream access and manipulation

Discovery

Reported to GeoVision, which published Security Advisory 2024-11 and acknowledged the end-of-life status of affected products. CISA added the CVE to the KEV catalog on May 7, 2025 following confirmed exploitation.

Exploitation Context

The eleven-month gap between CVE publication and CISA KEV addition reflects a long tail of exploitation against legacy GeoVision devices. Mirai-style botnet operators systematically scan the internet for vulnerable IoT devices using known CVE exploitation scripts. Once recruited into a botnet, compromised cameras and DVRs are used for DDoS amplification attacks, proxy infrastructure, and — because they reside on internal network segments — as persistent footholds for network reconnaissance. The combination of end-of-life status (no patches), internet exposure (many surveillance cameras have public IP addresses or port-forwarded management), and privileged network positioning makes these devices high-value targets for automated exploitation.

Remediation

  1. Replace affected GeoVision end-of-life devices with supported models or alternative vendors that provide active security patching. This is the primary recommendation from both GeoVision and CISA.
  2. If immediate replacement is not possible: isolate the devices on a dedicated VLAN with no internet access and no routed access to sensitive internal network segments.
  3. Disable remote web management access and any DDNS or UPnP configurations that expose the device management interface to the internet.
  4. Conduct an inventory of all network-connected surveillance devices and identify any that are end-of-life or have not received firmware updates in the past two years.
  5. Monitor for signs of Mirai infection: unexpected outbound traffic to unusual IP ranges, unusual CPU usage, and modified device configurations.

Key Details

PropertyValue
CVE ID CVE-2024-6047
Vendor / Product GeoVision — Multiple Devices
NVD Published2024-06-17
NVD Last Modified2025-10-30
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 find similar ↗
CISA KEV Added2025-05-07
CISA KEV Deadline2025-05-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-05-28. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-06-17CVE published
2025-05-07Added to CISA Known Exploited Vulnerabilities catalog (delayed — approximately 11 months after publication)
2025-05-28CISA KEV remediation deadline

References

ResourceType
GeoVision Security Advisory — IP Device 2024-11 Vendor Advisory
NVD — CVE-2024-6047 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-19

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML