A botnet exploits e GeoVision zero-day to compromise EoL devices

A botnet employed in DDoS or cryptomining attacks is exploiting a zero-day in end-of-life GeoVision devices to grow up.

Researchers at the Shadowserver Foundation observed a botnet exploiting a zero-day in GeoVision EOL (end-of-Life) devices to compromise devices in the wild. The GeoVision zero-day, tracked as CVE-2024-11120 (CVSS 9.8), is a pre-auth command injection vulnerability that was discovered by Shadowserver Foundation and verified with the help of TWCERT.

The vulnerability impacts the following EoL products:

  • GV-VS12
  • GV-VS11
  • GV-DSP_LPR_V3
  • GVLX 4 V2
  • GVLX 4 V3

“Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.” reads the advisory published by TWCERT. “Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.”

The botnet was used to carry out DDoS or cryptomining attacks.

According to Shadowserver Foundation, there are approximately 17,000 Internet-facing GeoVision devices vulnerable to the CVE-2024-11120 zero-day.

Most of the exposed devices are based in the United States (9,179), followed by Germany (1,652), Taiwan (792), and Canada (784).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cryptomining)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter