### Key Information - **Vulnerability Name**: GeoVision Command Injection RCE via /PictureCatch.cgi - **Severity**: CRITICAL - **Date**: October 20, 2025 - **Affected Scope**: - GV-BX1500 firmware versions released prior to Nov/Dec 2017 - GV-MFD1501 firmware versions released prior to Nov/Dec 2017 - Other GeoVision embedded IP devices' firmware released prior to Nov/Dec 2017 - **CVE ID**: CVE-2018-25118 - **CWE ID**: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - **CVSS Score**: 9.3 - **CVSS V4 Vector**: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - **References**: - GitHub PoC - ExploitDB-43982 - GeoVision Release Notes - **Discoverer**: bashis - **Description**: GeoVision embedded IP devices, confirmed in GV-BX1500 and GV-MFD1501, are affected by a remote command injection vulnerability via /PictureCatch.cgi, allowing attackers to execute arbitrary commands on the device. VulnCheck observed exploitation of this vulnerability at 08:55:13.141502 UTC on October 19, 2025.