What happened

CISA added CVE-2024-11120 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-05-07, signaling active exploitation in the wild CISA KEV. The flaw affects multiple GeoVision devices and is tracked as an OS command injection (CWE-78) that enables arbitrary system command execution NVD entry. CISA’s summary states the issue is remotely exploitable without authentication and warns that impacted products could be end‑of‑life (EoL) or end‑of‑service (EoS), advising users to discontinue use if mitigations are unavailable CISA KEV. The entry sets a remediation due date of 2025‑05‑28 and directs organizations to apply vendor mitigations or, failing that, stop using the product, and to follow applicable BOD 22‑01 guidance for cloud services CISA KEV.

The CVE identifier and core metadata are also published by MITRE as the canonical record of the vulnerability MITRE CVE, and mirrored with technical classification (CWE‑78) on NVD for defender consumption NVD entry.

Why it matters

A pre‑authentication OS command injection allows an attacker to run arbitrary system commands on the device with no valid credentials, which is functionally remote code execution under the device’s service context NVD entry. KEV inclusion means exploitation has been observed by U.S. government or trusted partners, elevating this to a must‑fix item rather than a theoretical risk CISA KEV. When devices are EoL/EoS, patch availability is uncertain; CISA’s guidance to discontinue product utilization reflects the operational reality that some affected hardware will not receive fixes CISA KEV.

Because the affected scope is “multiple devices,” asset owners may have heterogeneous deployments with uneven update paths and varying operational constraints, complicating uniform remediation NVD entry. That combination—known exploitation, pre‑auth attack surface, and potentially unpatchable devices—creates a high‑priority exposure window that defenders must close quickly or compensate for with isolation and decommissioning CISA KEV.

Technical detail

CVE-2024-11120 is categorized under CWE‑78 (OS Command Injection), where attacker‑controlled input is concatenated into a system shell or command interpreter, resulting in arbitrary command execution NVD entry. The KEV description explicitly notes remote, unauthenticated exploitation, indicating that the vulnerable code path resides pre‑auth and is reachable over the network without valid user credentials CISA KEV. This placement typically allows exploitation at scale whenever the device is reachable, since no per‑device credentials or session preconditions are required to trigger the vulnerable pathway NVD entry.

The affected product scope is “GeoVision Multiple Devices,” which signals a family‑level vulnerability rather than a single SKU, increasing the likelihood of shared vulnerable components across models and firmware branches NVD entry. CISA further flags that impacted products may be EoL/EoS, making vendor‑provided patches unavailable and elevating the need for compensating controls or device retirement CISA KEV. As a published CVE, the identifier and associated references can be reliably used to map asset inventories and ticket remediation workflows across enterprises and service providers MITRE CVE.

Defense

CISA mandates remediation by 2025‑05‑28 for KEV‑listed vulnerabilities, with required action to apply vendor mitigations, follow applicable BOD 22‑01 guidance for cloud services, or discontinue product use if mitigations are unavailable CISA KEV. Where devices are EoL/EoS, the agency’s direction is explicit: remove affected products from operational networks if you cannot mitigate risk through vendor‑approved measures CISA KEV. Track this CVE using the canonical MITRE record for consistent referencing across tooling and vendor advisories during triage MITRE CVE.

Operationally, prioritize discovery and classification of any GeoVision assets and verify exposure and reachability to untrusted networks, as pre‑auth vulnerabilities are exploitable without credentials when endpoints are accessible NVD entry. Treat mitigation deadlines for KEV items as non‑negotiable, given that inclusion indicates observed exploitation activity rather than academic risk CISA KEV. Use NVD’s record to align vulnerability intelligence feeds and ensure SBOM/vuln scanners properly flag the CVE across “multiple devices” families during scanning cycles NVD entry.

Lyrie Verdict

Pre‑authentication command injection gives adversaries machine‑speed initial access, so detection and response must operate at the same tempo NVD entry. Lyrie ingests CISA’s KEV in real time and automatically elevates CVE‑2024‑11120 to enforced policy, tagging and isolating assets identified as GeoVision “multiple devices” until verified mitigations or decommissioning are complete CISA KEV. We bind the canonical CVE to asset intelligence so that any inbound, unauthenticated reachability to flagged endpoints is treated as high‑risk and auto‑contained without waiting for human triage MITRE CVE. This is anti‑rogue‑AI defense by design: autonomous ingestion of authoritative signals (KEV), continuous asset correlation, and immediate isolation of exploitable pre‑auth surfaces—closing the window attackers exploit faster than manual playbooks can react CISA KEV.