This unauthenticated stack overflow exists in the gvapi endpoint of GV-VMS V20's WebCam Server. Attackers can send a crafted base64 encoded payload that triggers an unbounded copy to a fixed-size stack buffer with no bounds checking. The web server is compiled without ASLR, making exploitation straightforward to achieve full SYSTEM level code execution.
Remediation
Disable the WebCam Server feature if it is not required for business operations. Apply the latest official security patch from GeoVision as soon as it becomes available. Restrict network access to the GV-VMS management interface to only trusted internal IP ranges.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.