Botnet exploits GeoVision zero-day to install Mirai malware

A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks.

The flaw is tracked as CVE-2024-11120 and was discovered by Piort Kijewski of The Shadowserver Foundation. It is a critical severity (CVSS v3.1 score: 9.8) OS command injection problem, allowing unauthenticated attackers to execute arbitrary system commands on the device.

“Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device,” warns Taiwan’s CERT.

“Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.”

According to TWCERT, the vulnerability impacts the following device models:

GV-VS12: A 2-channel H.264 video server that converts analog video signals into digital streams for network transmission.
GV-VS11: A single-channel video server designed to digitize analog video for network streaming.
GV-DSP LPR V3: A Linux-based system dedicated to license plate recognition (LPR).
GV-LX4C V2 / GV-LX4C V3: Compact digital video recorders (DVRs) designed for mobile surveillance applications.

All of these models have reached the end of life and are no longer supported by the vendor, so no security updates are expected.

Threat monitoring platform The Shadowserver Foundation reports that approximately 17,000 GeoVision devices are exposed online and are vulnerable to the CVE-2024-11120 flaw.

Kijewski told BleepingComputer that the botnet appears to be a Mirai variant, which is usually used as part of DDoS platforms or to perform cryptomining.

Most of the exposed devices (9,100) are based in the United States, followed by Germany (1,600), Canada (800), Taiwan (800), Japan (350), Spain (300), and France (250).

**Location of exposed GeoVision devices**
*Source: The Shadowserver Foundation*

In general, signs of botnet compromise include devices heating excessively, becoming slow or unresponsive, and having their configuration arbitrarily changed.

If you notice any of these symptoms, perform a device reset, change the default admin password to something strong, turn off remote access panels, and place the device behind a firewall.

Ideally, these devices should be replaced with actively supported models, but if that’s impossible, they should be isolated on a dedicated LAN or subnet and closely monitored.

Bill Toulas

Leave a Comment Cancel Reply

London, GB

1:29 pm, Feb 3, 2025

8°C

L: 7° | H: 9°

Feels like 6°C° overcast clouds

Humidity: 81 %

Pressure: 1024 mb

Wind: 9 mph S

Wind Gust: 0 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 100%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 7:35 am

Sunset: 4:53 pm

DailyHourly

Daily ForecastHourly Forecast

Today 9:00 pm

7° | 9°°C 0 mm 0% 8 mph 97 % 1025 mb 0 mm/h

Tomorrow 9:00 pm

5° | 9°°C 0.2 mm 20% 14 mph 98 % 1027 mb 0 mm/h

Wed Feb 05 9:00 pm

4° | 8°°C 0 mm 0% 8 mph 89 % 1044 mb 0 mm/h

Thu Feb 06 9:00 pm

3° | 8°°C 0 mm 0% 10 mph 86 % 1045 mb 0 mm/h

Fri Feb 07 9:00 pm

3° | 6°°C 0 mm 0% 14 mph 91 % 1039 mb 0 mm/h

Today 3:00 pm

7° | 8°°C 0 mm 0% 8 mph 86 % 1025 mb 0 mm/h

Today 6:00 pm

6° | 7°°C 0 mm 0% 5 mph 91 % 1024 mb 0 mm/h

Today 9:00 pm

5° | 5°°C 0 mm 0% 5 mph 97 % 1024 mb 0 mm/h

Tomorrow 12:00 am

5° | 5°°C 0 mm 0% 5 mph 98 % 1024 mb 0 mm/h

Tomorrow 3:00 am

7° | 7°°C 0 mm 0% 7 mph 91 % 1023 mb 0 mm/h

Tomorrow 6:00 am

6° | 6°°C 0 mm 0% 9 mph 95 % 1022 mb 0 mm/h

Tomorrow 9:00 am

7° | 7°°C 0 mm 0% 11 mph 90 % 1023 mb 0 mm/h

Tomorrow 12:00 pm

9° | 9°°C 0 mm 0% 13 mph 79 % 1022 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€92,756.24	-3.76%
Ethereum(ETH)	€2,518.10	-16.10%
Tether(USDT)	€0.98	0.15%
XRP(XRP)	€2.32	-14.72%
Solana(SOL)	€190.98	-7.19%
USDC(USDC)	€0.98	0.00%
Dogecoin(DOGE)	€0.246701	-14.10%
Shiba Inu(SHIB)	€0.000015	-14.85%
Pepe(PEPE)	€0.000010	-21.08%

Botnet exploits GeoVision zero-day to install Mirai malware

Share:

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us