CVE-2026-7372,CVE-2026-42369
Multiple exploitable stack overflow vulnerabilities exist in the WebCam Server functionality of GV-VMS V20 (version(s): 20.0.2). A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
GV-VMS V20 (version(s): 20.0.2)
GV-VMS V20 - https://www.geovision.com.tw/product/GV-VMS%20V20
10 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
The call to sscanf at [1] to split the Buffer variable into the username and password variables doesn’t limit the size of the extracted content to match the destination buffers’ sizes. In this case, if either the username or password decoded from the authorization string exceeds 40 characters (the size the stack variables username and password) then a stack overflow will occur.
The data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could lead to full code execution as SYSTEM on the machine running the service.
The b64decoder string is sized dynamically, but it is then copied to the Buffer stack variable one character at the time at [0], and there’s no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the Buffer variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.
2026-02-24 - Initial Vendor Contact
2026-02-24 - Vendor Disclosure
2026-04-14 - Vendor Patch Release
2026-06-15 - Public Release
Philippe Laulheret of Cisco Talos