轉發 國家資安資訊分享與分析中心 NISAC-200-202510-00000262

[內容說明]
研究人員發現GeoVision嵌入式IP設備存在作業系統指令注入(OS Command Injection)漏洞(CVE-2018-25118)，未經身分鑑別之遠端攻擊者可注入任意作業系統指令並於設備上執行。該漏洞已遭駭客利用，請儘速確認並進行修補。

[影響平台]
GV-BX1500、GV-MFD1501及其他嵌入式IP設備，韌體釋出日期在2017年12月之前

[建議措施]
請更新韌體至最新版本

[參考資料]
1. https://nvd.nist.gov/vuln/detail/CVE-2018-25118
2. https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgi
Forwarded from the National Cybersecurity Information Sharing and Analysis Center (NISAC-200-202510-00000262)

[Content Description] Researchers have discovered an OS Command Injection vulnerability (CVE-2018-25118) in GeoVision embedded IP devices. An unauthenticated remote attacker could inject arbitrary operating system commands and execute them on the device. This vulnerability has already been exploited by hackers; please confirm and patch it as soon as possible.

[Affected Platforms] GV-BX1500, GV-MFD1501, and other embedded IP devices with firmware release dates prior to December 2017.

[Recommended Actions] Please update your firmware to the latest version.

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2018-25118
2. https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgi