CVE-2026-7161
Published: 04 May 2026
Description
An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various…
more
Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default.
Mitigating Controls (NIST 800-53 r5)AI
Requires protection of confidentiality and integrity for transmitted information, directly preventing eavesdropping on broadcast packets containing credentials.
Mandates implementation of approved cryptographic protections, addressing the use of weak Blowfish-derived encryption that exposes credentials.
Enforces proper cryptographic key management, preventing inclusion of the symmetric key in the same packet as encrypted credentials.
Security SummaryAI
CVE-2026-7161 is an insufficient encryption vulnerability (CWE-656) in the Device Authentication functionality of GeoVision GV-IP Device Utility version 9.0.5. The affected component broadcasts privileged commands over UDP to Geovision devices on the network, including the username and password encrypted with a Blowfish-derived cryptographic protocol. However, the symmetric key used for encryption is also included in the packet, rendering the protection reliant on the obscurity of the encryption scheme.
An attacker on the same LAN can exploit this by passively listening to broadcast traffic when an administrator uses the utility to interact with a device. The attacker can then decrypt the credentials using their own implementation of the algorithm, as the key is exposed. Successful exploitation grants full control over the device configuration, such as changing its IP address or resetting it to factory defaults. The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H), indicating high severity with required user interaction.
Mitigation guidance is available in related advisories, including the Talos Intelligence vulnerability report at https://talosintelligence.com/vulnerability_reports/ and GeoVision's cybersecurity page at https://www.geovision.com.tw/cyber_security.php.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes credentials in LAN broadcast UDP traffic via weak encryption with included key, directly enabling passive capture of authentication material via network sniffing.