cvedb.io
CVE-2026-7161
CRITICAL · CVSS 9.3
EPSS exploitation probability: 0%
Published 2026-05-04T01:16:04.447 · Last modified 2026-06-17T11:01:57.320

Summary

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encrypt

Affected products

geovision — gv-ip_device_utility

Does this affect you?

Add your gear to cvedb and we'll alert you only when geovision ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.