CVE-2018-25118

EUVD-2018-21605
GeoVision embedded IP devices, confirmed on GV-BX1500 and GV-MFD1501, contain a remote command injection vulnerability via /PictureCatch.cgi that enables an attacker to execute arbitrary commands on the device. The vulnerable models have been declared end-of-life (EOL) by the vendor. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-19 08:55:13.141502 UTC.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Common Weakness Enumeration
References
https://github.com/mcw0/PoC/blob/fb06efe05b7e240dc88ff31eb30e1ef345509dce/Geovision-PoC.py#L15
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
https://www.exploit-db.com/exploits/43982
https://www.geovision.com.tw/blog/?cat=14
https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgi
https://github.com/mcw0/PoC/blob/fb06efe05b7e240dc88ff31eb30e1ef345509dce/Geovision-PoC.py#L15
https://www.exploit-db.com/exploits/43982
https://www.vulncheck.com/advisories/geovision-command-injection-rce-picture-catch-cgi