Critical flaw reported in end-of-life GeoVision devices, actively exploited by malware botnet

A critical security vulnerability has been discovered affecting multiple end-of-life GeoVision surveillance devices, which is actively being exploited by a malware botnet. The botnet has been identified as a Mirai variant, associated with DDoS attacks and cryptocurrency mining operations.

The malware exploits the zero-day vulnerability to execute arbitrary system commands on affected devices without requiring authentication.

• CVE-2024-11120 (CVSS score:9.8) - OS command injection vulnerability allowing unauthenticated remote code execution. The vulnerability affects several GeoVision models that have reached end-of-life status and are no longer receiving security updates:
  • GV-VS12 (2-channel H.264 video server)
  • GV-VS11 (single-channel video server)
  • GV-DSP LPR V3 (Linux-based license plate recognition system)
  • GV-LX4C V2 / GV-LX4C V3 (compact mobile surveillance DVRs)

As of 16th of November 2024, the Shadowserver Foundation has identified approximately 17,000 vulnerable GeoVision devices exposed online globally, more than half in United States: 9,100 devices, and 1,600 devices in Germany.

Indicators of Compromise of the device are excessive device heating, degraded performance or unresponsiveness and unexplained configuration changes

Users are advised to isolate the devices from the internet, then make a factory reset of any affected devices, change default admin passwords and disable remote access panels. Ideally, replace with supported models