CVE-2026-42365

High

Published: 04 May 2026

Published

04 May 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0006 19.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly requires management of authenticators including session cookies with sufficient entropy, randomness, and protection to prevent them from being guessable via brute-force.

AC-7 Unsuccessful Logon Attempts partial match

prevent

Limits consecutive unsuccessful authentication attempts, mitigating brute-force attacks on session cookies even if partially guessable.

SC-23 Session Authenticity partial match

prevent

Provides mechanisms to ensure the authenticity of web communications sessions, reducing the risk of exploitation through guessed or unauthorized session cookies.

Security SummaryAI

CVE-2026-42365 is a guessable session cookie vulnerability in the Web Interface functionality of GeoVision LPC2011/LPC2211 version 1.10, published on 2026-05-04T01:16:03.620. The issue allows a specially crafted series of HTTP requests to lead to an authentication bypass, where an attacker can bruteforce session cookies to trigger the vulnerability. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-341.

Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity, lack of required privileges or user interaction, and network vector. Successful exploitation enables bruteforcing of session cookies to bypass authentication, resulting in high confidentiality impact across a scoped security boundary.

Advisories with potential mitigation details are available from Talos Intelligence at https://talosintelligence.com/vulnerability_reports/ and GeoVision at https://www.geovision.com.tw/cyber_security.php.

Details

CWE(s): CWE-341

Affected Products

geovision

gv-lpc2011 firmware

1.10

geovision

gv-lpc2211 firmware

1.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

Vulnerability in public web interface directly enables remote exploitation (T1190) via crafted HTTP requests; guessable session cookies facilitate brute-force guessing to achieve authentication bypass (T1110).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://talosintelligence.com/vulnerability_reports/
Third Party Advisory · 0df08a0e-a200-4957-9bb0-084f562506f9
https://www.geovision.com.tw/cyber_security.php
Vendor Advisory · 0df08a0e-a200-4957-9bb0-084f562506f9