U.S. CISA adds GoVision device flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds GoVision device flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
May 08, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds GoVision device flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

• CVE-2024-6047 (CVSS score 9.8) GeoVision Devices OS Command Injection Vulnerability. Multiple EOL GeoVision devices fail to properly filter user input for the specific functionality. An unauthenticated remote attacker can exploit the CVE-2024-6047 vulnerability to inject and execute arbitrary system commands on the device.
• CVE-2024-11120 (CVSS score 9.8) GeoVision Devices OS Command Injection Vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject and execute arbitrary system commands on the device. The vulnerability has already been exploited by attackers in the wild. In November 2024, researchers at the Shadowserver Foundation observed a botnet exploiting the zero-day flaw CVE-2024-11120 in GeoVision EOL (end-of-Life) devices to compromise devices in the wild. The GeoVision zero-day CVE-2024-11120 (CVSS 9.8) is a pre-auth command injection vulnerability that was discovered by Shadowserver Foundation and verified with the help of TWCERT. The vulnerability impacts the following EoL products: GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2, GVLX 4 V3. “Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.” reads the advisory published by TWCERT. “Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.” The botnet was used to carry out DDoS or cryptomining attacks. According to Shadowserver Foundation, there were approximately 17,000 Internet-facing GeoVision devices vulnerable to the CVE-2024-11120 zero-day. Unfortunately, the number of Internet-facing GeoVision devices vulnerable to the CVE-2024-11120 zero-day, is still high. Most of the exposed devices are based in the United States (8,720), followed by Germany (1,518), Taiwan (789), and Canada (761).

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by May 28, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)