The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with two new entries: CVE-2024-6047 and CVE-2024-11120, both affecting GeoVision devices. These OS command injection vulnerabilities have been actively exploited in the wild, prompting CISA to mandate remediation for federal agencies under Binding Operational Directive (BOD) 22-011.
TL;DR: Key Points for Security Teams
- CISA added two GeoVision vulnerabilities (CVE-2024-6047, CVE-2024-11120) to KEV Catalog
- Both are OS command injection flaws with active exploitation
- Federal agencies must remediate per BOD 22-01 requirements
- Private organizations strongly urged to patch immediately
- Catalog available in CSV/JSON formats for integration
Vulnerability Details
The newly listed vulnerabilities both affect GeoVision devices, which are commonly used in physical security and surveillance systems. CVE-2024-6047 and CVE-2024-11120 allow remote attackers to execute arbitrary operating system commands through crafted inputs to vulnerable interfaces. Successful exploitation could lead to complete system compromise, data exfiltration, or lateral movement within networks2.
These additions follow CISA’s established criteria for the KEV Catalog, which focuses on vulnerabilities with:
- Clear evidence of active exploitation
- Publicly available proof-of-concept code
- Significant impact on federal enterprise systems
Remediation Requirements
Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by their specified due dates. While the directive only applies to federal agencies, CISA strongly recommends all organizations prioritize these flaws given their active exploitation status3.
The remediation timeline typically follows this pattern:
| Vulnerability Type | Remediation Deadline |
|---|---|
| Newly added vulnerabilities | 2 weeks from catalog addition |
| Historical vulnerabilities | 6 months from catalog addition |
Technical Impact and Detection
Security teams should look for these indicators of potential exploitation:
- Unusual process execution from web service accounts
- Suspicious command-line arguments containing special characters
- Unexpected network connections from GeoVision devices
The vulnerabilities are particularly concerning because GeoVision devices often have privileged access to physical security systems. Compromise could allow attackers to manipulate surveillance feeds, disable alarms, or gain physical access to secured areas.
Broader Context of KEV Catalog Updates
CISA’s May 2025 update continues a pattern of prioritizing vulnerabilities in network appliances and physical security systems. Recent additions to the catalog have included flaws in SonicWall SMA100 appliances (CVE-2023-44221) and Apache HTTP Server (CVE-2024-38475)4.
The KEV Catalog serves as a prioritized list for vulnerability management, with CISA updating it weekly based on threat intelligence. Organizations can subscribe to automatic updates through the catalog’s RSS feed or download the complete list in machine-readable formats for integration with vulnerability scanners and SIEM systems.
Recommended Actions
Security teams should take these immediate steps:
- Inventory all GeoVision devices in the environment
- Apply vendor-provided patches immediately
- Monitor for exploit attempts using the detection methods above
- Consider network segmentation for physical security systems
For organizations using GeoVision products, the vendor has released security updates addressing these vulnerabilities. System administrators should prioritize applying these patches, particularly for internet-facing devices.
Conclusion
CISA’s addition of these GeoVision vulnerabilities to the KEV Catalog highlights the ongoing risk posed by network-connected physical security systems. The active exploitation of these flaws demonstrates that attackers continue to target such devices due to their critical function and often-outdated security postures.
Security teams should use this update as an opportunity to review their vulnerability management processes, ensuring they can rapidly identify and remediate KEV-listed vulnerabilities. The catalog remains one of the most reliable sources for prioritizing patching efforts based on real-world threat activity.
References
- “Known Exploited Vulnerabilities Catalog”, CISA, 2025.
- “CVE-2024-6047 Detail”, CVE.org, 2024.
- “BOD 22-01 Fact Sheet”, CISA, 2023.
- “CISA Adds Two Known Exploited Vulnerabilities to Catalog”, CISA Alert, May 1, 2025.
- “CISA Adds Three Critical Vulnerabilities to Known Exploited Vulnerabilities Catalog”, Cyble Report, Sep 10, 2024.
- “CISA Adds Two New Vulnerabilities to Known Exploited Vulnerabilities Catalog”, CommandLink Alert, Sep 16, 2024.
- “CISA Adds 6 Known Exploited Vulnerabilities to Catalog”, TuxCare Blog, Jan 22, 2024.
