Shadowserver Foundation has discovered a botnet that exploits a zero-day vulnerability in outdated Geovision devices to carry out DDOS attacks or Cryptocurrency mining.
The vulnerability CVE-2024-11120 (CVSS assessment: 9.8) allows for OS command injection, enabling unauthorized attackers to execute arbitrary commands within the system. The exploitation of this zero-day vulnerability has already begun, as reported by cert Taiwan. Experts have identified several affected Geovision device models:
- gv-VS12 – 2-channel video server H.264
- GV-VS11 – single-channel video server
- GV-DSP LPR V3 – license plate recognition system
- GV-LX4C V2 and GV-LX4C V3 – compact video recorders for mobile surveillance
All of these models are no longer supported by the manufacturer, leaving them vulnerable to attacks.
According to The Shadowserver Foundation, approximately 17,000 Geovision devices worldwide are vulnerable to CVE-2024-11120, with the highest numbers in the USA (9100), followed by Germany (1600), Canada (800), Taiwan (800), Japan (350), Spain (300), and France (250).
Geographic distribution of infected devices can be viewed on Shadowserver Foundation’s website.
Shadowserver Foundation experts suspect that the attacks are linked to the notorious Mirai botnet, first discovered in August 2016 and known for its involvement in powerful DDOS attacks.