CVE-2026-42363: GeoVision GV-IP Device Utility Critical Credential Leak

/CRITICAL /CVSS 9.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-656
CVE-2026-42363: GeoVision GV-IP Device Utility Critical Credential Leak

The National Vulnerability Database reports a critical insufficient encryption vulnerability, CVE-2026-42363, in GeoVision GV-IP Device Utility 9.0.5. This flaw allows attackers on the same local area network (LAN) to intercept broadcast packets and decrypt device credentials. The utility, when interacting with GeoVision devices, transmits privileged commands that include usernames and passwords. While these are encrypted, the symmetric key for the Blowfish-derived scheme is also sent within the same packet. This effectively nullifies any cryptographic protection, reducing security to mere obscurity.

An attacker simply needs to listen to broadcast traffic when an administrator interacts with a GeoVision device. With the intercepted key and encrypted credentials, they can implement the algorithm to fully decrypt the username and password. This grants complete control over the device’s configuration, enabling changes to its IP address or even a factory reset. The National Vulnerability Database assigns this a CVSS score of 9.3 (CRITICAL), underscoring the severe impact of this credential exposure.

The core issue here is a fundamental cryptographic failure: sending the key alongside the encrypted data. This isn’t a complex exploit; it’s a glaring design flaw. Defenders need to understand that anything relying on ‘security through obscurity’ is inherently broken. This vulnerability presents a straightforward path to full device compromise for any attacker with LAN access, turning what should be secure device management into an open book.

What This Means For You

  • If your organization uses GeoVision GV-IP Device Utility 9.0.5 or earlier, assume credentials for managed devices are compromised if administrators have used the utility on the network. Isolate these devices immediately. Change all associated device passwords and investigate network segments for suspicious broadcast traffic. This isn't theoretical; it's a direct path to full device takeover.

Related ATT&CK Techniques

T1071.004 Application Layer Protocol: DNS Discovery T1595.002 Scanning IP Blocks Reconnaissance T1041 Exfiltration Over C2 Channel Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1595.002 Reconnaissance

CVE-2026-42363: GeoVision GV-IP Device Utility Broadcast Credential Leak

Sigma YAML — free preview 
title: CVE-2026-42363: GeoVision GV-IP Device Utility Broadcast Credential Leak
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects potential credential leakage related to CVE-2026-42363. This rule looks for DNS broadcast traffic (UDP port 53) originating from common internal IP ranges, specifically targeting broadcast addresses. The 'query' field is designed to capture indicators related to the GeoVision GV-IP Device Utility interacting with devices, which is a precursor to the credential leak vulnerability. Attackers can exploit this by listening to these broadcasts to intercept credentials.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42363/
tags:
  - attack.reconnaissance
  - attack.t1595.002
logsource:
    category: dns
detection:
  selection:
      dst_port:
          - 53
      src_ip:
          - '192.168.1.0/24' 
          - '10.0.0.0/8' 
          - '172.16.0.0/12'
  selection_indicators:
      query|contains:
          - 'GV-IP Device Utility'
      dst_ip:
          - '255.255.255.255'
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42363 Information Disclosure GeoVision GV-IP Device Utility 9.0.5
CVE-2026-42363 Cryptographic Failure Insufficient encryption in Device Authentication functionality
CVE-2026-42363 Information Disclosure Credentials leak via broadcast packets (UDP) due to symmetric key included in packet

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

itSourceCode Courier Management System SQLi: CVE-2026-7076

CVE-2026-7076 — A vulnerability was determined in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /edit_branch.php. Executing a manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

itsourcecode Construction Management System SQLi (CVE-2026-7075)

CVE-2026-7075 — A vulnerability was found in itsourcecode Construction Management System 1.0. This issue affects some unknown processing of the file /locations.php. Performing a manipulation...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 7 Sigma

CVE-2026-7074: SQL Injection in Construction Management System 1.0

CVE-2026-7074 — A vulnerability has been found in itsourcecode Construction Management System 1.0. This vulnerability affects unknown code of the file /execute1.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma