CVE-2025-26264

High

Published: 27 February 2025

Published

27 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2954 96.6th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Description

GeoVision GV-ASWeb with the version 6.1.2.0 or less (fixed in 6.2.0), contains a Remote Code Execution (RCE) vulnerability within its Notification Settings feature. An authenticated attacker with "System Settings" privileges in ASWeb can exploit this flaw to execute arbitrary commands on the server, leading to a full system compromise.

Security Summary

CVE-2025-26264 is a Remote Code Execution (RCE) vulnerability, classified under CWE-94, affecting GeoVision GV-ASWeb in versions 6.1.2.0 and earlier. The flaw exists within the Notification Settings feature, allowing arbitrary command execution on the underlying server.

An authenticated attacker with "System Settings" privileges in ASWeb can remotely exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to full system compromise, granting high confidentiality, integrity, and availability impacts, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability is addressed in GV-ASWeb version 6.2.0. Mitigation involves upgrading to the fixed version, with relevant resources available at the GeoVision GV-ASManager download page (https://www.geovision.com.tw/download/product/GV-ASManager%20%28Access%20Control%29) and a GitHub repository detailing the issue (https://github.com/DRAGOWN/CVE-2025-26264).

Details

CWE(s): CWE-94

References

https://github.com/DRAGOWN/CVE-2025-26264
cve@mitre.org
https://www.geovision.com.tw/download/product/GV-ASManager%20%28Access%20Control%29
cve@mitre.org
https://github.com/DRAGOWN/CVE-2025-26264
134c704f-9b21-4f2e-91b3-4a467353bcc0