CVE-2026-12485
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk35th percentile — higher than 35% of all known CVEs
Summary
GV-I/O Box 4E is a smart embedded device that supports communication over Ethernet and RS-485. The DVRSearch service, running by default on this device, is vulnerable to a stack overflow that can be exploited by an attacker to execute malicious code.
Risk Assessment
This vulnerability poses a risk of remote code execution, which could lead to the compromise of the device and potential access to the local network.
Recommendation
It is recommended to update the device firmware to the latest version that addresses this vulnerability and to restrict access to the DVRSearch service to trusted users only.
Original NVD description (English source)
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### IP field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v3 = strlen(g_network_config->ip_addr); memcpy(&reply_buf[36], g_network_config->ip_addr, v3);

