Forwarded from the National Cybersecurity Information Sharing and Analysis Center (NISAC-200-202510-00000262)

[Content Description] Researchers have discovered an OS Command Injection vulnerability (CVE-2018-25118) in GeoVision embedded IP devices. An unauthenticated remote attacker could inject arbitrary operating system commands and execute them on the device. This vulnerability has already been exploited by hackers; please confirm and patch it as soon as possible.

[Affected Platforms] GV-BX1500, GV-MFD1501, and other embedded IP devices with firmware release dates prior to December 2017.

[Recommended Actions] Please update your firmware to the latest version.

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2018-25118
2. https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgi