GeoVision EOL Devices Under Active Exploitation: CVE-2024-11120 Pre-Auth OS Command Injection Enables Remote Command Execution (CVSS 9.8)

1. Executive Summary

CVE-2024-11120 is a critical OS command injection vulnerability affecting certain end-of-life (EOL) GeoVision video server/DVR and licence-plate-recognition device lines, enabling unauthenticated remote attackers to execute arbitrary system commands. According to GeoVision’s advisory GV-IP-2024-11-1, impacted models are retired and will not receive security fixes, with the vendor recommending replacement. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical) per TWCERT/CC’s vulnerability note and is tracked in NVD. Multiple independent reports indicate active exploitation, including Mirai-family botnet activity targeting the vulnerable CGI endpoint to download and execute malware, as detailed by Akamai SIRT’s analysis.

2. Contextual Background

2.1 Nature of the threat

CVE-2024-11120 is an OS command injection issue (CWE-78) in certain EOL GeoVision devices, where insufficient input filtering enables pre-auth command execution. GeoVision confirms the condition and notes the products are EOL with replacement recommended in GeoVision’s advisory GV-IP-2024-11-1. TWCERT/CC similarly describes unauthenticated command injection leading to arbitrary command execution and states exploitation has been reported in TWCERT/CC’s note. The CVE entry and scoring are reflected in NVD.

2.2 Threat-actor attribution (if any)

Public reporting attributes exploitation to Mirai-family botnet operators rather than a named APT group. Akamai identifies exploitation leading to deployment of a Mirai-based variant and provides technical indicators and detection rules in its blog post, “Here Comes Mirai: IoT Devices RSVP to Active Exploitation”. BleepingComputer also reports a Mirai-variant botnet exploiting CVE-2024-11120, citing Shadowserver’s observations in its coverage.

Confidence: Likely (A2/B2) that opportunistic Mirai/botnet operators are exploiting CVE-2024-11120, based on consistent independent reporting from Akamai and BleepingComputer. No credible public sources currently attribute activity to a specific, named threat actor.

2.3 Sector and geographic targeting

Observed exploitation aligns with typical IoT botnet tradecraft: mass scanning and opportunistic compromise of internet-exposed devices for DDoS capability and/or ancillary monetisation. BleepingComputer, citing Shadowserver, reports large-scale internet exposure and provides a country distribution of exposed devices in its article. Akamai observed exploitation attempts in honeypots starting in April 2025, indicating ongoing targeting of exposed devices in the wild in its analysis.

3. Technical Analysis

3.1 Vulnerability mechanics and observed TTPs (MITRE ATT&CK mapped)

Public technical reporting indicates exploitation of a GeoVision CGI endpoint associated with time/date configuration:

• Initial access via internet-facing service: Attackers exploit the vulnerable CGI endpoint on exposed devices (Observed targeting of /DateSetting.cgi).
  • ATT&CK: T1190 (Exploit Public-Facing Application) — supported by Akamai’s description of exploitation against the /DateSetting.cgi endpoint in Akamai’s write-up.
• Command injection leading to OS command execution: Injection is performed via a parameter (reported as szSrvIpAddr) which is not properly sanitised.
  • ATT&CK: T1059 (Command and Scripting Interpreter) — evidenced by Akamai’s decoded payload showing shell command chaining and execution in Akamai’s analysis.
• Payload retrieval and execution: The injected command sequence downloads a Mirai-family binary to /tmp, modifies permissions, and executes it.
  • ATT&CK: T1105 (Ingress Tool Transfer) — download via wget is shown in Akamai’s decoded exploit chain in Akamai’s analysis.
  • ATT&CK: T1204 (User Execution) is not indicated here (no user interaction); execution is remote and automated. A better fit is continued execution under T1059 plus ingress via T1105.
• Command-and-control: Akamai reports identified C2 IP infrastructure and a C2-related domain used by botnet activity.
  • ATT&CK: T1071.001 (Application Layer Protocol: Web Protocols) — consistent with HTTP-based infrastructure referenced in Akamai’s network IOCs and Snort rules in Akamai’s IOC section.

3.2 Exploitation status

• Actively exploited: TWCERT/CC states the vulnerability “has already been exploited” and reports have been received in its vulnerability note.
• Corroborated in threat-intelligence reporting: Akamai documents exploitation observed in April 2025, including decoded payloads and IoCs in its analysis.
• Known Exploited Vulnerabilities (KEV): NVD’s change history shows a CISA KEV update for CVE-2024-11120 (including dates and required action text) within the NVD record. A CISA KEV catalogue entry also exists (where accessible) via CISA’s Known Exploited Vulnerabilities Catalogue (GeoVision vendor filter).

4. Impact Assessment

4.1 Severity and scope

• Severity: CVSS v3.1 base score 9.8 (Critical) is published by TWCERT/CC and reflected in the NVD entry, indicating unauthenticated remote code execution impact (high confidentiality/integrity/availability).
• Scope drivers: Devices are EOL and not expected to receive patches, materially increasing operational risk and dwell time if exposed, per GeoVision’s advisory.

4.2 Victim profile

Affected assets are GeoVision EOL video servers/DVRs and related appliances commonly used in surveillance and operational environments. TWCERT/CC lists affected products (e.g., GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2/V3) in its note, which GeoVision also enumerates in GV-IP-2024-11-1. BleepingComputer cites Shadowserver observations indicating substantial numbers of exposed devices and provides a country breakdown in its coverage.

5. Indicators of Compromise (IOCs)

5.1 IOC table

5.2 Detection guidance

• Snort / network detection: Akamai provides ready-to-use Snort rules for identifying traffic to the listed C2 IPs and domain in the IOC section of its blog.
• YARA (file detection): Akamai includes a YARA rule with embedded network indicators and SHA-256 matches in the same post: Akamai IOC section.
• High-signal hunting ideas (SIEM/EDR):
  • Alert on outbound connections from IoT/surveillance VLANs to the IOC IPs/domains listed above.
  • Hunt for HTTP requests containing /DateSetting.cgi from untrusted sources and suspicious parameter values (command separators such as ;, backticks, $() — consistent with the decoded exploit string shown by Akamai in its analysis.

6. Incident Response Guidance

6.1 Containment, eradication, and recovery

• Immediate containment:
  • Remove affected devices from direct internet exposure (block inbound from WAN; restrict management interfaces) — prioritise any systems matching the affected product list in GeoVision’s advisory.
  • If operationally feasible, isolate onto a dedicated subnet/VLAN with strict egress filtering to prevent botnet enrolment, aligning with exposure risk described in BleepingComputer’s coverage.
• Eradication:
  • Reimage/replace the device where possible: GeoVision explicitly recommends replacement due to EOL status and lack of ongoing maintenance in GV-IP-2024-11-1.
  • If replacement is delayed, perform a factory reset and ensure credentials are rotated; note this is risk-reduction only (it does not remove the underlying vulnerability).
• Recovery:
  • Implement compensating controls (WAF/edge filtering for CGI patterns, ACLs, strict allowlisting for management access) while migration plans are executed.

6.2 Forensic artefacts to collect and preserve

• HTTP access logs (if available) showing requests to /DateSetting.cgi and associated parameters (especially szSrvIpAddr) as described by Akamai.
• Device filesystem and process listings focusing on /tmp and recently created executables (Akamai’s example shows download/execution in /tmp) in Akamai’s analysis.
• Network telemetry (NetFlow/PCAP) for outbound connections to the IOC IPs/domains published by Akamai.

6.3 Lessons learned and preventive recommendations

• Treat EOL surveillance/IoT assets as high-risk “permanent n-days”: if patches are not available, assume eventual compromise if exposed, consistent with GeoVision’s EOL stance in GV-IP-2024-11-1.
• Enforce lifecycle governance: procurement and asset management controls should prevent internet exposure of unsupported devices and drive timely replacement.

7. Threat Intelligence Contextualisation

7.1 Similar incidents and pattern matching

Mirai-family botnets have repeatedly leveraged unauthenticated RCE/command injection in legacy IoT to scale botnet capacity. Akamai explicitly frames this GeoVision activity as Mirai-based exploitation and provides a decoded payload chain consistent with historic Mirai tradecraft in its analysis.

7.2 Full MITRE ATT&CK mapping (observed lifecycle)

(Observed behaviours are derived from Akamai’s exploitation and IOC analysis.)

8. Mitigation Recommendations

8.1 Actionable hardening and controls

• Primary mitigation: replace EOL devices. GeoVision states affected devices are no longer maintained and recommends replacing them with current models in GV-IP-2024-11-1.
• If replacement is not immediate:
  • Remove WAN exposure; restrict access to trusted administrative networks only.
  • Block inbound requests to /DateSetting.cgi at the perimeter where feasible (reverse proxy/ACL), informed by Akamai’s identification of the targeted endpoint in its analysis.
  • Apply strict egress filtering from the device subnet to prevent outbound connections to untrusted IP space; explicitly deny known IOC IPs/domains from Akamai’s IOC list.

8.2 Patch management advice

• Patches: Public vendor guidance indicates no patch is expected for the impacted EOL models; replacement is advised in GeoVision’s advisory.
• Prioritisation: Treat CVE-2024-11120 as emergency priority due to pre-auth remote code execution and CVSS 9.8 in NVD and exploitation reporting in TWCERT/CC and Akamai.

9. Historical Context & Related Vulnerabilities

9.1 Related vulnerabilities in the same product family

GeoVision’s advisory bundles CVE-2024-11120 with CVE-2024-6047 as OS injection vulnerabilities affecting EOL IP device lines in GV-IP-2024-11-1. Akamai also discusses exploitation activity associated with CVE-2024-6047 alongside CVE-2024-11120 in its write-up.

9.2 Prior coverage

• Botnet exploitation reporting: BleepingComputer’s coverage of GeoVision zero-day exploitation
• Technical exploitation details and IOCs: Akamai SIRT’s Mirai/GeoVision exploitation analysis

10. Future Outlook

10.1 Emerging trends and likely evolution

Given the combination of (1) high-severity unauthenticated RCE, (2) easily automatable exploitation, and (3) an EOL patch dead-end, CVE-2024-11120 is well-suited to sustained botnet recruitment. Akamai’s findings show active exploitation and operationalised infrastructure (Snort/YARA-ready IoCs), suggesting continued scanning and rapid re-compromise of reset devices in the absence of removal/replacement, per Akamai’s assessment.

10.2 Predicted shifts in targeting, tooling, or behaviour

Expect “one-to-many” exploit modules to be incorporated into broader Mirai-family loaders targeting multiple IoT brands and CVEs in a single campaign, consistent with Akamai’s observation of the same botnet attempting additional exploits beyond GeoVision in its analysis.

11. Further Reading

Vendor / official advisories

• GeoVision Advisory GV-IP-2024-11-1 (CVE-2024-11120 and CVE-2024-6047)
• TWCERT/CC Vulnerability Note: GeoVision EOL devices OS Command Injection (CVE-2024-11120)
• NVD entry for CVE-2024-11120

Threat intelligence & technical analysis

• Akamai SIRT: Active exploitation of GeoVision CVEs with Mirai-family malware and published IOCs
• BleepingComputer: Botnet exploits GeoVision zero-day to install Mirai malware