CVE-2026-42363 - Vulnerability Analysis
CriticalCVSS: 9.3Last Updated: April 27, 2026
GeoVision GV-IP Device Utility - Broken Access Control
Published: April 27, 2026Updated: April 27, 2026Remote Exploitable
Overview
GeoVision GV-IP Device Utility 9.0.5 contains an insufficient encryption vulnerability in Device Authentication caused by including the symmetric key in broadcast packets, letting attackers on the same LAN decrypt credentials and gain full device control, exploit requires attacker to be on the same LAN and an admin user to interact with the device.
Severity & Score
Severity: Critical
CVSS Score: 9.3
Impact
Attackers on the same LAN can decrypt credentials, gaining full control over device configuration including IP changes and factory reset.
Mitigation
Update to the latest version with improved encryption or contact vendor for patches.
References
Related Resources
Details
- CVE ID
- CVE-2026-42363
- Severity
- Critical
- CVSS Score
- 9.3
- Type
- weak_cryptography
- Status
- new
CWE
- CWE-656
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H