Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices, which the manufacturer no longer supports.
The vulnerability, now designated as CVE-2024-11120, has been assigned a high-severity CVSS score of 9.8 and used by a sophisticated botnet.
The security flaw is a pre-authentication command injection vulnerability, which allows attackers to execute arbitrary commands on vulnerable GeoVision devices without requiring authentication.
This poses a significant risk, enabling malicious actors to compromise devices remotely, and giving them full control over the affected systems.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders - Attend Free Webinar
The vulnerability was first reported by Shadowserver Foundation, a respected non-profit organization focused on improving internet security.
In a statement shared on X, Shadowserver confirmed, “We observed a 0-day exploit in the wild used by a botnet targeting GeoVision EOL devices. The pre-auth command injection vulnerability was verified in collaboration with TWCERT & GeoVision & assigned CVE-2024-11120.”
GeoVision, a company known for its video surveillance systems, has since confirmed the existence of the vulnerability in its End-of-Life (EOL) devices, which are no longer receiving security updates.
The collaboration with Shadowserver and Taiwan’s Computer Emergency Response Team (TWCERT) helped verify the issue, but due to the EOL status of many affected devices, patching options remain limited.
Security experts are urging organizations and individuals still using legacy GeoVision devices to take immediate action.
Recommended steps include disconnecting the devices from the internet if updates cannot be applied, segmenting the network, and replacing outdated hardware with more secure alternatives.
The botnet responsible for exploiting CVE-2024-11120 is actively targeting vulnerable devices to expand its network, posing a threat to both individuals and organizations globally.
Additional information on mitigations and workarounds is expected to be shared by relevant authorities in the coming days.
Simplify and speed up Threat Analysis Workflow by Auto-detonating Cyber Attacks in a Malware sandbox
