CVE-2024-11120:

Overview

Remediation

• Replace the affected devices with supported, maintained hardware as recommended by the advisory (the devices are no longer maintained and replacement is advised).
• If replacement is not immediately feasible, implement strong network controls:
• Isolate devices from untrusted networks and the internet.
• Restrict management interfaces to trusted networks only (use VPNs or jump hosts).
• Enforce strict firewall rules to block inbound/outbound traffic to/from the devices except for approved management paths.
• Disable or minimize exposed services and management features on the devices where possible.
• Conduct inventory and confirm which devices in your environment are in the affected list (GV-VS12, GV-VS11, GV-DSP_LPR_V3, GVLX 4 V2, GVLX 4 V3) and plan replacement.
• Enhance monitoring and detection:
• Enable and review device logs for anomalous command execution attempts.
• Monitor for unusual outbound traffic or botnet-related activity consistent with IoT compromises.
• Leverage network-based IDS/IPS rules to detect exploitation indicators where feasible.
• If a temporary workaround exists from the vendor or integrator, apply any documented mitigations, but treat replacement as the primary remediation path.
• Review and implement a decommissioning plan for EOL devices to minimize risk exposure across the environment.

References

• - TWCERT Taiwan advisory (Japanese/English pages): https://www.twcert.org.tw/tw/cp-132-8236-d4836-1.html
• - TWCERT English advisory: https://www.twcert.org.tw/en/cp-139-8237-26d7a-2.html
• - Akamai security blog on exploitation: https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet
• - CISA Known Exploited Vulnerabilities (KEV) feed reference: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json