Pierluigi Paganini November 17, 2024
Researchers at the Shadowserver Foundation observed a botnet exploiting a zero-day in GeoVision EOL (end-of-Life) devices to compromise devices in the wild. The GeoVision zero-day, tracked as CVE-2024-11120 (CVSS 9.8), is a pre-auth command injection vulnerability that was discovered by Shadowserver Foundation and verified with the help of TWCERT.
The vulnerability impacts the following EoL products:
“Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.” reads the advisory published by TWCERT. “Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.”
The botnet was used to carry out DDoS or cryptomining attacks.
According to Shadowserver Foundation, there are approximately 17,000 Internet-facing GeoVision devices vulnerable to the CVE-2024-11120 zero-day.
Most of the exposed devices are based in the United States (9,179), followed by Germany (1,652), Taiwan (792), and Canada (784).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cryptomining)