CISA Adds GeoVision Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities affecting GeoVision surveillance devices to its Known Exploited Vulnerabilities (KEV) Catalog, citing active exploitation in the wild. These vulnerabilities pose a significant risk to end-of-life (EOL) GeoVision devices, which are no longer receiving vendor support, making them prime targets for cybercriminals.

1. Overview of GeoVision Vulnerabilities

CVE-2024-6047: OS Command Injection

• Vulnerability Type: OS Command Injection (CWE-78)
• Affected Devices: Multiple EOL GeoVision surveillance systems
• Impact: Remote Code Execution (RCE)
• CVSS Score: 9.8 (Critical)

CVE-2024-11120: Pre-Auth Command Injection

• Vulnerability Type: Pre-Authentication Command Injection
• Affected Devices: GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2/V3
• Impact: Remote Code Execution (RCE)
• CVSS Score: 9.8 (Critical)

2. Exploitation Details

Active Exploitation

• Threat actors have weaponized CVE-2024-11120, using it to build botnets for DDoS attacks and cryptomining operations.
• Shadowserver Foundation observed botnet activity leveraging this vulnerability as early as November 2024.
• Taiwan’s TWCERT confirmed that these vulnerabilities are actively exploited, with multiple independent reports verifying ongoing attacks.

Scale of Exposure

• Approximately 17,000 internet-facing GeoVision devices remain vulnerable.
• Most affected regions:
• United States (8,720 devices)
• Germany (1,518 devices)
• Taiwan (789 devices)
• Canada (761 devices)

3. Mitigation Strategies

A. Apply Security Updates

• GeoVision devices affected by CVE-2024-6047 and CVE-2024-11120 are EOL, meaning no official patches are available.
• Organizations must replace outdated devices with supported alternatives.

B. Restrict Network Access

• Disable remote access to vulnerable GeoVision devices.
• Implement firewall rules to block unauthorized connections.

C. Monitor for Exploitation

• Deploy Intrusion Detection Systems (IDS) to flag suspicious activity.
• Audit logs for unauthorized command execution attempts.

4. Compliance Requirements

Federal Agencies

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by May 28, 2025.

5. Conclusion

The inclusion of CVE-2024-6047 and CVE-2024-11120 in CISA’s KEV Catalog highlights the critical nature of these vulnerabilities. Organizations using EOL GeoVision surveillance devices must prioritize replacement, restrict access, and monitor for exploitation to mitigate risks.