GeoVision Devices Exploited by Botnet to Install Mirai Malware

November 15, 2024

A malware botnet is exploiting a zero-day vulnerability in GeoVision devices that are no longer supported. The flaw, tracked as CVE-2024-11120, was discovered by Piort Kijewski from The Shadowserver Foundation. It is a critical severity issue that allows unauthenticated attackers to execute arbitrary system commands on the device. Taiwan's CERT has issued a warning about this vulnerability, stating, 'Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.' They also reported that the vulnerability has already been exploited by attackers.

The vulnerability affects various device models that are no longer supported by the vendor, meaning no security updates are expected. The Shadowserver Foundation has reported that approximately 17,000 GeoVision devices are exposed online and vulnerable to the CVE-2024-11120 flaw.

Kijewski has identified the botnet as a variant of Mirai, which is typically used in DDoS platforms or for cryptomining. The majority of the exposed devices are based in the United States, with others located in Germany, Canada, Taiwan, Japan, Spain, and France.

Signs of a botnet compromise include excessive heating of devices, slowed or unresponsive devices, and arbitrary configuration changes. In such cases, a device reset should be performed, the default admin password should be changed, remote access panels should be turned off, and the device should be placed behind a firewall. Ideally, unsupported devices should be replaced with models that are currently supported. If replacement is not possible, the devices should be isolated on a dedicated LAN or subnet and closely monitored.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.