ctipilot.ch

wolfSSL registeredID SAN name-constraint bypass (Talos, CVSS 7.4)

cve · CVE-2026-25106 single-source

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Peak priority
notable
1 notable
Sources cited
7
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
5
see Related entities below
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
GeoVision GV-I/O Box 4EGeoVision GeoWebPlayervtk-dicomwolfSSL

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1189Drive-by Compromise×1

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

Evidence: 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · ATT&CK page ↗

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · ATT&CK page ↗

Execution TA0002

T1203Exploitation for Client Execution×1

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Evidence: 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · ATT&CK page ↗

Defense Impairment TA0112

T1553Subvert Trust Controls×1

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Evidence: 2026-07-09/talos-wolfssl-geovision-vtkdicom-disclosure · ATT&CK page ↗

Story timeline

  1. 2026-07-09Cisco Talos batch disclosure: wolfSSL PKI name-constraint bypasses, GeoVision command injection, and a VTK-DICOM heap overflow (41 CVEs)
    trending-vulnerabilitiesTalos discloses 41 patched CVEs: wolfSSL silently ignores IP/registeredID cert name constraints, GeoVision GV-I/O boxes take a high-privilege command injection

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • talosintelligence.com6 (86%)
  • blog.talosintelligence.com1 (14%)

Related entities

Entries about wolfSSL registeredID SAN name-constraint bypass (Talos, CVSS 7.4) (1)

2026-07-09 · view entry permalink →

Cisco Talos batch disclosure: wolfSSL PKI name-constraint bypasses, GeoVision command injection, and a VTK-DICOM heap overflow (41 CVEs)

Cisco Talos' Vulnerability Discovery & Research team published a coordinated-disclosure roundup on 2026-07-09 — three wolfSSL, 37 GeoVision (across 14 advisories) and one VTK-DICOM CVE, 41 in total, all patched by their respective vendors under Cisco's third-party disclosure policy (Cisco Talos, 2026-07-09). In wolfSSL 5.9.1 (embedded TLS for IoT/RTOS/medical/embedded devices), two X.509 name-constraint bugs let a subordinate CA issue certificates outside its permitted scope and have them accepted anyway, subverting a trust control (T1553): CVE-2026-28739 (CVSS 9.1) — the iPAddress SAN branch is compiled out unless WOLFSSL_IP_ALT_NAME is defined, silently skipping constraint enforcement for any certificate carrying an iPAddress SAN (Talos TALOS-2026-2409, 2026-07-09) — and CVE-2026-25106 (CVSS 7.4) — ConfirmNameConstraints() iterates a fixed GeneralName-type array that omits ASN_RID_TYPE, so registeredID SANs bypass constraint checking in every build (Talos TALOS-2026-2410, 2026-07-09). A third, CVE-2026-33091 (CVSS 7.5), is an integer underflow in PKCS#7 OtherRecipientInfo parsing that produces a heap buffer overflow with a stated path to code execution (Talos TALOS-2026-2408, 2026-07-09).

Talos separately disclosed 37 CVEs across GeoVision physical-security/CCTV/access-control hardware. The most severe is an OS command-injection cluster led by CVE-2026-12486 (CVSS 9.1) in GV-I/O Box 4E 2.09: a function builds a shell command string from an attacker-controlled IP/netmask/gateway/DNS value with no sanitisation and passes it to system(), reachable over the network from the DVRSearch discovery service and the Network.cgi endpoint — though Talos scores it PR:H, i.e. requiring high privileges rather than fully unauthenticated (T1190) (Talos TALOS-2026-2379, 2026-07-09). CVE-2026-13125 (CVSS 8.8) is a missing-authentication flaw in GeoWebPlayer version 1.1.1.0 (shipped with GV-VMS/GV-Cloud): it opens an unauthenticated WebSocket server on localhost, so any webpage a victim visits can connect and invoke screen-capture APIs to exfiltrate their screen (T1189) (Talos TALOS-2026-2370, 2026-07-09). Finally, VTK-DICOM 9.5.2 (used to parse DICOM CT/MRI data) carries CVE-2026-22879 (CVSS 8.1), an improper-array-index heap overflow where a crafted DICOM file corrupts heap-chunk metadata and aborts the process — a client-side surface for hospital PACS/imaging pipelines that ingest external DICOM (T1203) (Talos TALOS-2026-2366, 2026-07-09).

In some configurations wolfSSL will silently fail to add IP Address GeneralName mappings to the certificate's alternative names list, causing IP addresses outside of the permitted range to be treated as valid.

Cisco Talos (TALOS-2026-2409) 2026-07-09

The following function takes a string as an ip address, performs no sanitization and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.

Cisco Talos (TALOS-2026-2379) 2026-07-09

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco's third-party vulnerability disclosure policy.

Cisco Talos 2026-07-09
vulnerability09 Jul 20:40Zsingle-sourceOpen finding ↗