ctipilot.ch
← Back to Daily brief 2026-07-09
NOTABLECVE-2026-28739 +5vulnerability

Cisco Talos batch disclosure: wolfSSL PKI name-constraint bypasses, GeoVision command injection, and a VTK-DICOM heap overflow (41 CVEs)

discovered 2026-07-09 20:40 UTCrun 2026-07-09T2009Z-intel7 sourcessingle-source

Cisco Talos' Vulnerability Discovery & Research team published a coordinated-disclosure roundup on 2026-07-09 — three wolfSSL, 37 GeoVision (across 14 advisories) and one VTK-DICOM CVE, 41 in total, all patched by their respective vendors under Cisco's third-party disclosure policy (Cisco Talos, 2026-07-09). In wolfSSL 5.9.1 (embedded TLS for IoT/RTOS/medical/embedded devices), two X.509 name-constraint bugs let a subordinate CA issue certificates outside its permitted scope and have them accepted anyway, subverting a trust control (T1553): CVE-2026-28739 (CVSS 9.1) — the iPAddress SAN branch is compiled out unless WOLFSSL_IP_ALT_NAME is defined, silently skipping constraint enforcement for any certificate carrying an iPAddress SAN (Talos TALOS-2026-2409, 2026-07-09) — and CVE-2026-25106 (CVSS 7.4) — ConfirmNameConstraints() iterates a fixed GeneralName-type array that omits ASN_RID_TYPE, so registeredID SANs bypass constraint checking in every build (Talos TALOS-2026-2410, 2026-07-09). A third, CVE-2026-33091 (CVSS 7.5), is an integer underflow in PKCS#7 OtherRecipientInfo parsing that produces a heap buffer overflow with a stated path to code execution (Talos TALOS-2026-2408, 2026-07-09).

Talos separately disclosed 37 CVEs across GeoVision physical-security/CCTV/access-control hardware. The most severe is an OS command-injection cluster led by CVE-2026-12486 (CVSS 9.1) in GV-I/O Box 4E 2.09: a function builds a shell command string from an attacker-controlled IP/netmask/gateway/DNS value with no sanitisation and passes it to system(), reachable over the network from the DVRSearch discovery service and the Network.cgi endpoint — though Talos scores it PR:H, i.e. requiring high privileges rather than fully unauthenticated (T1190) (Talos TALOS-2026-2379, 2026-07-09). CVE-2026-13125 (CVSS 8.8) is a missing-authentication flaw in GeoWebPlayer version 1.1.1.0 (shipped with GV-VMS/GV-Cloud): it opens an unauthenticated WebSocket server on localhost, so any webpage a victim visits can connect and invoke screen-capture APIs to exfiltrate their screen (T1189) (Talos TALOS-2026-2370, 2026-07-09). Finally, VTK-DICOM 9.5.2 (used to parse DICOM CT/MRI data) carries CVE-2026-22879 (CVSS 8.1), an improper-array-index heap overflow where a crafted DICOM file corrupts heap-chunk metadata and aborts the process — a client-side surface for hospital PACS/imaging pipelines that ingest external DICOM (T1203) (Talos TALOS-2026-2366, 2026-07-09).

In some configurations wolfSSL will silently fail to add IP Address GeneralName mappings to the certificate's alternative names list, causing IP addresses outside of the permitted range to be treated as valid.

Cisco Talos (TALOS-2026-2409) 2026-07-09

The following function takes a string as an ip address, performs no sanitization and calls system. This is a classic command injection vulnerability. The function is reachable from both the network-exposed DVRSearch service and the Network.cgi endpoint.

Cisco Talos (TALOS-2026-2379) 2026-07-09

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco's third-party vulnerability disclosure policy.

Cisco Talos 2026-07-09

Defender actions

  • If you rely on wolfSSL-based TLS validation with constrained sub-CAs, do not assume the client enforces name constraints: patch wolfSSL and review any trust model that depends on iPAddress or registeredID SAN name-constraint enforcement, which wolfSSL silently skipped.
  • Inventory GeoVision physical-security hardware (GV-I/O boxes, DVR/NVR, GV-VMS/GV-Cloud, GeoWebPlayer) in facilities; confirm firmware is on the vendor-patched builds and that management interfaces (DVRSearch discovery, Network.cgi) are off any network reachable by untrusted hosts.
  • For healthcare imaging pipelines that ingest external DICOM files via VTK-DICOM, patch to the fixed release and hunt for DICOM-parsing processes crashing/aborting on ingest as a sign of malformed-file submission.

ATT&CK mapping

4 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1189Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

overlap matrix · ATT&CK page ↗

T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1203Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

overlap matrix · ATT&CK page ↗

Defense Impairment TA0112
T1553Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.