CVE-2018-25118

CRITICAL EXPLOITED

GeoVision embedded IP devices - Command Injection

Title source: llm

Exploitation Summary

CVE-2018-25118 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including bashis.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in Geovision IP cameras, including remote command execution via command injection in CGI parameters, unauthorized access to sensitive endpoints, and memory corruption issues like double free and stack overflow. The PoC includes curl commands to trigger these vulnerabilities, leading to arbitrary code execution and privilege escalation.

Description

GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the vendor. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.

Exploits (1)

exploitdb WORKING POC

by bashis · textremotehardware

https://www.exploit-db.com/exploits/43982

View Code ZIP pw:eip

This exploit demonstrates multiple vulnerabilities in Geovision IP cameras, including remote command execution via command injection in CGI parameters, unauthorized access to sensitive endpoints, and memory corruption issues like double free and stack overflow. The PoC includes curl commands to trigger these vulnerabilities, leading to arbitrary code execution and privilege escalation.

Classification

Working Poc 100%

Attack Type

Rce | Auth Bypass | Info Leak | Dos

Complexity

Trivial

Reliability

Reliable

Target: Geovision IP Camera/Video/Access Control (multiple models, FW before Nov/Dec 2017)

No auth needed

Prerequisites: Network access to the vulnerable device · No authentication required

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/43982

Various Sources exploit

https://github.com/mcw0/PoC/blob/fb06efe05b7e240dc88ff31eb30e1ef345509dce/Geovision-PoC.py#L15

View Writeup ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgi

Various Sources release-notes patch

https://www.geovision.com.tw/blog/?cat=14

Third Party Advisory, US Government Resource third-party-advisory government-resource exploit

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

Scores

CVSS v4 10.0

EPSS 0.0121

EPSS Percentile 64.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-10-20

CWE

CWE-78

Status published

Products (3)

GeoVision Inc./GeoVision embedded IP devices < November/December 2017 firmware

GeoVision Inc./GV-BX1500 < November/December 2017 firmware

GeoVision Inc./GV-MFD1501 < November/December 2017 firmware

Published Oct 20, 2025

Tracked Since Feb 18, 2026