Talos Vulnerability Report

TALOS-2025-2332

GeoVision LPC2011/LPC2211 Web Interface guessable session cookie vulnerability

June 15, 2026

CVE Number

CVE-2026-42365

Summary

A guessable session cookie vulnerability exists in the Web Interface functionality of LPC2011/LPC2211 (version(s): 1.10). A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.

Confirmed Vulnerable Versions

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

LPC2011/LPC2211 (version(s): 1.10)

Product URLs

LPC2011/LPC2211 - https://www.geovision.com.tw/product/GV-LPC2011

CVSSv3 Score

8.6 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-340 - Predictability Problems

Details

The Client ID that is being used as a Session cookie is using insufficient randomness and as such is easily guessable/bruteforcable. The functions SIuUTIL_WebNewAdmId and SIuUTIL_WebNewGstId both call a helper function responsible for generating a pseudo-random Client ID. The code is as follows: `

int sub_CB6C()
{
  int seedval; // [sp+0h] [bp+0h] BYREF
  int v2; // [sp+4h] [bp+4h]

  v2 = 0;
  time(&seedval);  [0]
  srand48(seedval);
  return lrand48() % 100000;  [1]
} `

There are two separate problems in the code above. At [0] the random number generator is seeded with the current time, which is an invalid source of entropy for security purposes; it is easy to guess the approximate time someone logged in and therefore retrieve the random seed. At [1], the value returned by lrand48 is truncated to be less than 100000. This reduces the range of the number generator, and makes it fairly easy to brute force all the potential values of a Client ID.

When accessing CGI endpoints via the web interface, endpoints requiring admin access are gated with a call to the SIuUTIL_WebLoginIsAdmin function. This call only checks for the proper client id, but does not try to associate it with its expected remote IP address. As such, if a user logged in recently, an attacker could bruteforce their session cookie and perform privileged operations on the web server.

Timeline

2026-02-17 - Initial Vendor Contact
2026-02-24 - Vendor Disclosure
2026-04-14 - Vendor Patch Release
2026-06-15 - Public Release

Credit

Philippe Laulheret of Cisco Talos

TALOS-2025-2322

TALOS-2026-2329

Intelligence Center

Vulnerability Research

Incident Response

Security Resources

Media

Company