CVE-2026-42370
A stack overflow vulnerability exists in the WebCam Server Login functionality of GV-VMS V20 (version(s): 20.0.2). A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
GV-VMS V20 (version(s): 20.0.2)
GV-VMS V20 - https://www.geovision.com.tw/product/GV-VMS%20V20
9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-787 - Out-of-bounds Write
GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the “WebCam Server” feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely.
Upon certain login flows, the server logs the username (provided via the id field of the HTTP request) and the ip address of the user trying to log in, regardless of success of the authentication. However there is no length check for the username, and as such, a stack-overflow can occur (pre-auth) while preparing the data to be logged if the username provided exceeds the size of the buffer. This can be seen below in the log_login function (arbitrary name from reverse engineering):
void __fastcall log_login(
CGeoHttpSrvApp *a1,
char bSuccess,
struct ATL::CStringData *username,
struct ATL::CStringData *remote_ip,
char is_web_api)
{
char *username_cstr; // rax
char *remote_ip_c_str; // rax
struct _SYSTEMTIME SystemTime; // [rsp+28h] [rbp-B00h] BYREF
GVADB_CMD_ADD_DATA log_data; // [rsp+40h] [rbp-AE8h] BYREF
__int64 v9; // [rsp+B10h] [rbp-18h]
BOOL v10; // [rsp+B18h] [rbp-10h]
v9 = -2i64;
GVADB_CMD_ADD_DATA_ctor(&log_data, -1); // will be logged with CGVLogClient::Add
log_data.field_10 = 0;
log_data.field_14[0] = 0;
log_data.field_14[1] = 2; // table_id
log_data.field_14[3] = 1;
log_data.field_14[2] = 0;
v10 = bSuccess == 0;
log_data.field_14[4] = v10;
username_cstr = deref_ptr(username);
strcpy(&log_data.field_14[74], username_cstr); // [0]
remote_ip_c_str = deref_ptr(remote_ip);
if ( is_web_api )
sprintf(&log_data.field_14[9], "%s (Web API)", remote_ip_c_str);
else
sprintf(&log_data.field_14[9], "%s (Http Server)", remote_ip_c_str);
GetLocalTime(&SystemTime);
memmove(&log_data.field_14[5], &SystemTime, 0x10ui64);
if ( a1->GVADB_CMD_GETSQL_DATA.field_220 )
GvAccessDBDll_Execute(a1->GVADB_CMD_GETSQL_DATA.field_220, &log_data);
GVADB_CMD_ADD_DATA_dtor(&log_data);
// username is one of the arguments but is located on the stack and thus can be overwritten with an overflow
ATL::CStringData_release(username); // <- decreases a ref count and if necessary call destructor
ATL::CStringData_release(remote_ip);
} // no stack cookie here
We can see that at [0] the username variable is copied via an unsafe call to strcpy onto a stack variable. If the data exceeds the buffer’s size, a stack overflow occurs and it’s possible to overwrite the return address of the function. The WebcamServer.exe process and some of the loaded DLLs are compiled with ASLR disabled; as such, exploitation becomes more likely as it is possible to guess the stack address and the addresses of various rop gadgets.
Successful exploitation could lead to Remote Code Execution (RCE) as SYSTEM on the host machine.
2026-02-24 - Initial Vendor Contact
2026-02-24 - Vendor Disclosure
2025-12-02 - Vendor Patch Release
2026-06-15 - Public Release
Philippe Laulheret of Cisco Talos