CVE-2026-42368
A privilege escalation vulnerability exists in the Web Interface functionality of LPC2011/LPC2211 (version(s): 1.10). A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
LPC2011/LPC2211 (version(s): 1.10)
LPC2011/LPC2211 - https://www.geovision.com.tw/product/GV-LPC2011
9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-266 - Incorrect Privilege Assignment
There are two different levels of users who can access the Web Interface of the camera. According to the user manual, “The Administrator has full access to all system configurations while the Guest can only access the live view and network status”. However, certain endpoints, in particular those under the “/geo-cgi/” path fail to verify the level of the user and instead only verify if the session cookie is valid:
/* Test if the path requested contains ssi.cgi, onvif in which case handles it differently. Snipped out for brevity */
if ( strncmp(v6, "geo-cgi/", 8u) )
goto LABEL_5; // if the path is neither what is mentioned above nor starts with geo-cgi, continue execution...
/* if we're here, the requested path starts with geo-cgi */
if ( !strncasecmp((const char *)req->params, "skey", 4u) )
{
/* Can go through if provided a session key */
/* ...snipped...*/
}
else
{
/* if no session key, check for a valid cookie */
client_id_ = get_client_id_from_cookie(req->Cookie);
if ( SIuUTIL_WebResetTmCnt(client_id_, (int)req->remote_ip) != 0xF0000000 ) //0xF0000000 is success
{
/* reauth if session cookie invalid */
}
snprintf(
v248,
0x200u,
"CGI authentication by client ID : remote_ip [%s] client_id [%d]!\n",
req->remote_ip,
client_id_);
v226 = syscall(224);
snprintf((char *)s, 0x220u, "(%d) %s[%d]: %s", v226, "geo_cgi_process", 4502, v248);
syslog(6, "%s", (const char *)s);
}
LABEL_320:
url_path = (char *)req->url_path;
goto LABEL_5; // PROCESS THE REQUEST
}
This allows the low-privilege Guest user to access administrative features of the device that they shouldn’t be able to access.
At least two endpoints are noteworthy for privilege escalation:
With a GET request to the geo-cgi/sdk_fw_update.cgi endpoint the device will reboot. It also seems possible to submit a valid firmware file to trigger a firmware update.
The geo-cgi/params.cgi endpoint is also particularly interesting as it allows a user to retrieve and modify many different settings of the device. For instance, accessing geo-cgi/param.cgi?action=list&group=Storage1.Filename./etc/shadow will return the device’s shadow file, while geo-cgi/param.cgi?action=list&group=Config.Export will export the device’s configuration, including the various usernames and passwords stored in plaintext on the device (including the Administator credentials).
For these reasons, a malicious Guest user can easily escalate their privileges to the Administrator level, and tamper with the device settings, firmware, etc.
2026-02-17 - Initial Vendor Contact
2026-02-24 - Vendor Disclosure
2026-04-14 - Vendor Patch Release
2026-06-15 - Public Release
Philippe Laulheret of Cisco Talos