CVE-2026-7161CRITICAL 9.3EPSS p11.5%

CVE-2026-7161CVE-2026-7161

geovision / gv-ip_device_utility

Description

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. W

Scoring

CVSS 3.19.3 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
EPSS0.21% probability of exploitation · percentile 11.5% · 2026-06-19T12:03:05Z
Published2026-05-04
Last modified2026-06-15

Underlying weaknesses· 1

CWE-656

References

  1. https://talosintelligence.com/vulnerability_reports/
  2. https://www.geovision.com.tw/cyber_security.php

1

TypeTargetConfidenceTier
WeaknessReliance on Security Through Obscuritycwe-6560%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42363
CVE
CVE-2026-36174
CVE
GeoVision Devices OS Command Injection Vulnerability
CVE
CVE-2026-42370
CVE
CVE-2026-7372
CVE
CVE-2026-7841
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.