CVE-2024-6047 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2024-06-17

Added to CISA KEV: 2025-05-07 324 DAYS BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately isolate or disconnect affected GeoVision devices from internet access
Replace all affected EOL devices as vendor recommends retirement/replacement with no patches available
Implement network segmentation to prevent lateral movement if devices are compromised
Monitor network traffic for unusual command execution or outbound connections from affected devices
HIGHEST PRIORITY: These are actively exploited EOL devices with no available fixes

CVE-2024-6047 is a critical command injection vulnerability affecting certain discontinued (End-of-Life) GeoVision IoT devices ^[1] ^[2].

Feature	Description
Vulnerability Type	Command Injection ^[2]
Exploitation	Active exploitation in the wild has been confirmed ^[2]
Threat Actors	Exploited by Mirai-based IoT botnets ^[2]
Requirements	Unauthenticated, remote access; no user interaction required ^[1]
Impact	Arbitrary system command execution and file writing with system-level privileges ^[3]
Patch Status	No patch available (EOL devices) ^[1]

Active Exploitation: The vulnerability has been actively exploited in the wild, notably by Mirai-based botnets seeking to compromise IoT devices ^[2]. It is often associated with similar command injection flaws in GeoVision devices, such as CVE-2024-11120 ^[2].
Attack Method: Attackers exploit the device's failure to properly filter user input for specific functionality. Because it is a remote, unauthenticated command injection, it allows attackers to gain control over the affected hardware without needing any interaction from a user ^[1].
Impact: Successful exploitation provides attackers with the ability to execute arbitrary system commands and write arbitrary files with system-level privileges, effectively granting them full control over the compromised device ^[3].
Patch/Mitigation: As the affected GeoVision devices are End-of-Life (EOL), no official patches are available ^[1]. The primary recommendation for such devices is to disconnect them from the internet or replace them with supported hardware.

NVD - CVE-2024-6047
An official website of the United States government Here's how you know ... National Vulnerability Database. Vulnerabilities. CVE-2024-6047 Detail. Unsupported When Assigned. Description. Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated…
Here Comes Mirai: IoT Devices RSVP to Active Exploitation - Akamai
See details and IOCs of Akamai SIRT's discovery of active exploitation of the command injection vulnerabilities CVE-2024-6047 and ... Certain discontinued GeoVision devices fail to properly filter user input for this parameter, which allows unauthenticated remote attackers to inject and execute arbi…
CVE-2024-6047 - Exploits & Severity - Feedly
Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can ... CVE-2024-6047 is a command injection vulnerability identified in discontinued GeoVision IoT devices, which has been actively exploited in the wild, as reported by…

🔴 CVE-2024-6047