A zero-day vulnerability in outdated GeoVision devices is being exploited by a malware botnet, potentially for DDoS or cryptomining purposes. Identified as CVE-2024-11120, the flaw is a critical OS command injection vulnerability (CVSS 9.8), allowing unauthenticated attackers to execute arbitrary commands. Piort Kijewski from The Shadowserver Foundation discovered this issue, which has already been exploited, as noted by Taiwan's CERT. The affected models include end-of-life products like GV-VS12, GV-VS11, GV-DSP LPR V3, and the GV-LX4C series, with no expected security patches.
Shadowserver reports around 17,000 vulnerable devices, with the majority (9,100) located in the U.S., followed by Germany and Canada. Signs of compromise include overheating, slow response, or unexpected configuration changes; if these occur, resetting the device, securing it with a strong password, disabling remote access, and using a firewall are recommended. Ideally, these devices should be replaced or isolated on a dedicated LAN and monitored.
Read more...