CISA reports active exploitation of two GeoVision Device vulnerabilities

CISA is reporting active exploitation of two critical GeoVision device vulnerabilities. Federal agencies have been directed to remediate these vulnerabilities by May 28, 2025, in accordance with Binding Operational Directive (BOD) 22-01.

Vulnerability summary

• CVE-2024-6047 (CVSS score 9.8): An OS command injection vulnerability in multiple end-of-life GeoVision devices that fails to properly filter user input. This flaw allows unauthenticated remote attackers to inject and execute arbitrary system commands on affected devices.
• CVE-2024-11120 (CVSS score 9.8): Another OS command injection vulnerability affecting various GeoVision devices. Like the first vulnerability, this allows unauthenticated remote attackers to execute arbitrary commands on the target system.

In November 2024, Shadowserver observed a botnet exploiting the zero-day flaw CVE-2024-11120 in GeoVision end-of-life devices. The botnet is being used to carry out distributed denial-of-service (DDoS) attacks and cryptomining operations.

The vulnerabilities impact the following end-of-life (EOL) GeoVision products:

• GV-VS12
• GV-VS11
• GV-DSP_LPR_V3
• GVLX 4 V2
• GVLX 4 V3

Despite these vulnerabilities being reported months ago, approximately 17,000 Internet-facing GeoVision devices remain vulnerable to CVE-2024-11120. The geographic distribution of these vulnerable devices is:

• United States: 8,720 devices
• Germany: 1,518 devices
• Taiwan: 789 devices
• Canada: 761 devices

Organizations using the affected GeoVision products should identify and inventory all vulnerable devices, implement available patches if provided by the vendor or consider replacing end-of-life products with supported alternatives. In the meantime they should isolate vulnerable devices that cannot be patched or replaced from critical networks