CISA Adds GeoVision IoT Vulnerabilities CVE-2024-6047 & CVE-2024-11120 to KEV Catalog: What You Need to Know

When the U.S. Cybersecurity and Infrastructure Security Agency (CISA) updates its Known Exploited Vulnerabilities (KEV) Catalog, the entire cybersecurity community—from federal agencies to private enterprises—takes notice. The latest additions to this catalog, CVE-2024-6047 and CVE-2024-11120, have sent a clear message: supply chain and IoT device security remain persistent, high-stakes challenges. Both of these vulnerabilities affect GeoVision devices and rely on similar OS command injection flaws—a chilling reminder that the threat landscape is ever-evolving, and attackers continuously probe for overlooked weaknesses.

What Are the New Vulnerabilities?​

CVE-2024-6047 and CVE-2024-11120 are not arcane security flaws—they are examples of the all-too-common and hazardous OS command injection vulnerability, this time found in popular GeoVision equipment. According to the respective CVE records hosted at cve.org and cve.org, these vulnerabilities allow unauthenticated remote attackers to execute arbitrary OS commands on affected devices. This means a cyber actor could take control of these devices, pivot deeper into the target network, exfiltrate sensitive data, or use compromised devices as launching points for further attacks.
GeoVision, a global provider of video surveillance and access control solutions, is widely deployed across both public and private sectors. Devices vulnerable to these exploits include networked digital video recorders, security cameras, and access control panels—making the scope of potential impact significant. These types of devices are often lightly managed or forgotten after installation, increasing the likelihood that vulnerabilities go unpatched for extended periods.

The Mechanics of OS Command Injection​

Command injection flaws like those exploited by CVE-2024-6047 and CVE-2024-11120 occur when external user input is improperly sanitized before being passed to an operating system shell. Attackers exploit this by crafting malicious requests that inject arbitrary commands, which the device then executes with its own system privileges—a devastating capability in the wrong hands. Notably, these vulnerabilities typically bypass standard authentication requirements, granting attackers high-level control with minimal obstacles.

Evidence of Active Exploitation​

CISA’s inclusion of these CVEs in the KEV Catalog is not a theoretical exercise; it’s a result of credible evidence showing that malicious actors are exploiting these vulnerabilities in the wild. According to the CISA alert, federal authorities and private partners have observed attacks targeting these flaws. While technical details of in-the-wild exploitation are scarce—likely due to sensitive law enforcement and intelligence operations—multiple cybersecurity firms have corroborated an increase in scanning and exploitation activity focused on GeoVision hardware since early 2024. This assertion aligns with independent reporting from security researchers at SANS Internet Storm Center and Rapid7 Labs, both of whom flagged anomalous traffic and exploit attempts against popular IoT device signatures in recent months.
Given the pattern observed in previous KEV entries, once CISA officially recognizes a vulnerability as actively exploited, opportunistic attackers tend to increase their activity, betting that a significant number of targets remain unpatched and vulnerable. This dynamic underscores why CISA’s catalog is closely watched and why rapid remediation is essential for organizations with exposure.

Recognizing the Stakes: Why FCEB Agencies Are Under the Gun​

The Binding Operational Directive (BOD) 22-01—titled "Reducing the Significant Risk of Known Exploited Vulnerabilities"—mandates that all Federal Civilian Executive Branch (FCEB) agencies remediate any catalogued vulnerabilities by a prescribed deadline. The KEV Catalog thereby serves as a living, authoritative list of CVEs with high demonstrable risk to federal networks. Per the BOD 22-01 Fact Sheet, agencies must routinely scan for, identify, and remediate these vulnerabilities—an obligation reflecting the systemic risk that widely exploited flaws pose to critical infrastructure.
However, CISA’s guidance does not stop at federal boundaries. The agency “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation,” emphasizing that the same vulnerabilities often endanger state, local, tribal, and private sector networks. Indeed, the attack methods typically employed against FCEB entities could just as easily be unleashed on healthcare providers, energy companies, or financial institutions relying on similar GeoVision infrastructure.

Critical Analysis: Strengths of the KEV Catalog Approach​

Proactive Risk Reduction​

The KEV Catalog approach, empowered by BOD 22-01, stands out for its focus on vulnerabilities that demonstrate real-world exploitation. By curating a list that emphasizes active threats, rather than theoretical risks or NIST catalog breadth, CISA enables organizations to prioritize their limited security resources effectively. This model short-circuits the debate about which of the thousands of disclosed CVEs truly matter (“patching paralysis”) and creates a concrete, evidence-driven remediation target.

Public-Private Coordination​

Another notable strength is how the catalog fosters cooperation between federal, state, and private actors. Since its inception, the KEV Catalog’s updates have been informed not just by government intelligence sources but also by input from private-sector security researchers, managed security service providers (MSSPs), and hardware/software vendors. This public-private partnership accelerates the detection-to-remediation lifecycle—a crucial dynamic as adversaries grow increasingly agile.

Transparency and Accountability​

By publishing the KEV Catalog openly and updating it regularly, CISA delivers a level of transparency rare in government cybersecurity, often regarded by allies and adversaries alike as a black box. The explicit deadlines for remediation (typically 7 to 21 days, depending on severity) also create formal accountability. FCEB agencies are required to submit evidence of patching or risk management to CISA, building a culture of compliance that could serve as a template for other risk domains.

Potential Risks and Challenges​

Patch Availability and Supply Chain Constraints​

While the KEV Catalog methodology is clear, reality is frequently less tidy. One persistent challenge is the timely availability of patches, especially for embedded or vendor-managed solutions like GeoVision’s. In some cases, device manufacturers are slow to release fixes—or cease supporting older product generations altogether. This leaves organizations in a bind: the mandate to patch contrasts sharply with patch availability, leading sometimes to risky stopgap measures like network isolation or device shutdown.
Furthermore, many organizations, especially in critical infrastructure sectors, lack detailed inventory of all deployed IoT and edge devices. Or, their procurement records may not include device firmware versions, complicating identification of vulnerable assets. This gap between vulnerability identification and operational remediation is particularly acute for “install-and-forget” IoT devices—precisely the type targeted by these latest CVEs.

Attack Chaining and Lateral Movement​

OS command injection flaws act as force multipliers. Once any device on a network is compromised, attackers can pivot laterally, exploiting additional weaknesses or escalating privileges. Devices like networked security cameras or access control systems often have trusted access deep into network environments but receive less attention from traditional IT security teams. The risk of an initial compromise unfolding into a major breach—data theft, ransomware, surveillance—is more than theoretical. Historical attacks, including the Mirai botnet wave and more recent APT operations, have repeatedly shown how vulnerable IoT devices are weaponized for larger campaigns.

Risk of Overemphasis on Cataloged CVEs​

Another nuanced risk is that organizations may become overly reliant on catalog-based prioritization, lagging on vulnerabilities not yet validated as actively exploited. While the KEV list represents a high bar, new zero-days, supply chain attacks, and targeted exploits often predate public disclosure. CISA’s model is powerful, but it is not exhaustive—not every relevant risk will make it onto the list in time for effective pre-emptive action. Organizations must therefore balance KEV-driven patching with broader vulnerability management strategies and ongoing threat intelligence monitoring.

Guidance for Windows and IoT Defenders​

Addressing command injection risks in devices like those from GeoVision requires a multifaceted approach:

• Asset Inventory: Maintain an up-to-date inventory of all connected devices—including vendor, model, and firmware details—to quickly identify exposure to cataloged vulnerabilities.
• Patch Management: Deploy vendor-issued fixes as soon as they become available. Where patching is not feasible, network segmentation and strict access controls can limit impact.
• Vulnerability Scanning: Use automated tools to regularly scan for vulnerable endpoints both on external-facing networks and within internal environments. Third-party solutions often offer IoT-specific detection modules.
• Monitor for Exploitation: Leverage security information and event management (SIEM) tools and threat intelligence feeds. Watch for signs of fingerprinting, anomalous outbound connections, or C2 (command and control) beaconing from device IP ranges.
• Incident Response: Prepare playbooks for containment and eradication of threats stemming from device breaches, including steps for device reimaging and password resets.

For Windows administrators, paying close attention to the KEV Catalog delivers direct value. Even though CISA’s directive targets federal agencies, threat actors repurpose successful exploits across public and private sectors. Many Windows server environments also host or interact with third-party IoT systems, making holistic vulnerability management an imperative.

The Bigger Picture: Evolving Toward Resilience​

CISA’s expanded KEV Catalog, now including CVE-2024-6047 and CVE-2024-11120, is not simply another set of technical alerts. It illustrates the evolving nature of modern cyber defense—where responsiveness, agility, and validated intelligence matter as much as raw technological firepower.
The emergence of these exploits against critical supply chain and IoT infrastructure prompts a re-examination of long-standing security assumptions:

• Device Lifecycles Matter: Organizations must demand longer-term security support from vendors. Product end-of-life should not mean end of security patching—especially in sectors where device replacement is slow or infeasible.
• Default Deny: Strong network segmentation and firewalling can drastically limit the blast radius of exploited devices. The perimeter and trust boundaries must be reviewed and narrowed wherever possible.
• Holistic Threat Modeling: Instead of viewing IoT device risks as isolated, organizations should model how initial compromise could cascade—affecting IT, OT, and even physical security domains.
• Continuous Validation: Regularly test incident response plans, validate security controls, and leverage red teaming to uncover hidden risk pathways opened up by device vulnerabilities.

The Path Forward for the Windows Community​

For the WindowsForum.com community, the implications extend beyond curiosity. Many users and administrators find themselves managing hybrid environments where Windows servers, third-party hardware, and cloud workloads collide. The key takeaways are:

• Monitoring CISA’s Known Exploited Vulnerabilities Catalog is a baseline best practice, not a federal-only concern.
• Prioritize remediation of cataloged exploits, and coordinate with vendors for urgent firmware updates on all connected device types.
• Foster a security-first culture that views patching as part of holistic risk management, including user awareness, network hardening, and incident response preparedness.

The current pace and scope of exploit discovery make it clear: cybersecurity is a living process, and vigilance is the price of safety. In the coming months, as CISA and partner agencies continue to update the KEV Catalog, organizations must remain alert—not just to new vulnerabilities as they emerge, but to the enduring lessons these incidents teach about interconnected risk. Whether defending a sprawling enterprise or a small business, the mandate remains the same: patch promptly, monitor continuously, and never assume security is “set and forget.”
With the addition of CVE-2024-6047 and CVE-2024-11120 to the high-priority list, it’s no longer a matter of if, but when attackers will pivot to the next unpatched device. The challenge for defenders everywhere is to make that window as short as possible—and to learn, act, and adapt at the speed of threat.

---

Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA