CVE-2026-42363

Name of the Vulnerable Software and Affected Versions GeoVision GV-IP Device Utility version 9.0.5

Description Insufficient encryption in the Device Authentication functionality allows for the leakage of administrator credentials. When the utility sends privileged commands to devices over UDP broadcast, it uses a cryptographic protocol derived from Blowfish. However, the symmetric key required for decryption is included within the same packet, meaning security relies solely on the obscurity of the encryption scheme. An attacker on the same local area network (LAN) can capture these broadcast packets and decrypt the credentials to gain full control over the device configuration, enabling actions such as changing the IP address or performing a factory reset.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.