What happened

CISA added CVE-2024-6047 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-05-07, with a remediation due date of 2025-05-28 CISA KEV. The entry covers “GeoVision Multiple Devices” and documents an OS command injection flaw that allows a remote, unauthenticated attacker to execute arbitrary system commands NVD CVE-2024-6047. CISA warns the impacted products may be end-of-life or end-of-service and advises users to discontinue product use if mitigations are unavailable CISA KEV. The issue is tracked as CWE-78 (OS Command Injection) in the CVE record MITRE CVE.

Why it matters

Inclusion in KEV means the vulnerability is known to be exploited in the wild and must be prioritized for remediation by federal agencies under BOD 22-01 timelines CISA KEV. Unauthenticated command injection typically enables immediate system-level execution, providing an attacker with control over the underlying OS and potential pivoting or persistence options NVD CVE-2024-6047. The additional complication here is lifecycle status: devices that are EoL/EoS often lack security updates and should be decommissioned when mitigation is not possible, per CISA’s guidance for this entry CISA KEV.

For operators, this is a classic edge-device problem: a remotely reachable appliance class with an unauthenticated path to arbitrary command execution is easy to automate at scale by opportunistic actors, increasing the blast radius if exposure is broad NVD CVE-2024-6047. The fact that CISA has set a short remediation due date underscores the active-exploitation signal and urgency CISA KEV.

Technical detail

CVE-2024-6047 is categorized under CWE-78, which covers improperly neutralized OS command inputs that lead to execution of unintended system commands NVD CVE-2024-6047. The KEV record states the issue affects multiple GeoVision devices and specifically notes the ability for a remote, unauthenticated attacker to inject and execute arbitrary system commands CISA KEV. The presence of unauthenticated code execution means no credentials are required to trigger the vulnerability, reducing attacker friction and enabling broad scanning and exploitation MITRE CVE.

The KEV entry explicitly flags that affected products may be EoL/EoS and instructs users to discontinue product utilization if mitigations are unavailable, indicating that patch coverage may not exist for some devices in scope CISA KEV. The CVE listing on NVD provides canonical tracking and cross-references for the vulnerability family and classification, supporting triage and risk assessment workflows NVD CVE-2024-6047.

Defense

CISA’s required action for CVE-2024-6047: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable CISA KEV. Because the issue is unauthenticated command injection, defenders should treat exposed instances as high-risk until verified remediated or removed, aligning with the KEV prioritization model NVD CVE-2024-6047. Where lifecycle constraints apply (EoL/EoS), CISA’s directive is explicit: decommission the product if you cannot mitigate through vendor-provided steps CISA KEV.

Verification steps should include confirming the device model’s presence in your asset inventory, validating whether a vendor mitigation exists, and documenting the remediation or decommissioning path according to BOD 22-01 timelines for KEV entries CISA KEV. Reference the CVE record to anchor ticketing and cross-system tracking with a single identifier and class (CWE-78) to ensure consistent risk tagging across tools MITRE CVE.

Lyrie Verdict

Autonomous attackers thrive on unauthenticated RCE, and CVE-2024-6047 fits that profile: remote command execution with no login barrier and active exploitation confirmed by KEV inclusion CISA KEV. Lyrie treats this as a machine-speed threat class: we prioritize telemetry from network-edge appliances flagged with this CVE, correlate unauthenticated execution attempts against device endpoints, and pre-emptively quarantine assets that match exploitation patterns while tickets are auto-opened against the CVE record for operator action NVD CVE-2024-6047. Where devices are EoL/EoS and cannot be remediated, Lyrie enforces policy-driven isolation and removal workflows consistent with KEV guidance to discontinue product utilization, eliminating targets that autonomous adversaries would otherwise recycle across campaigns CISA KEV.