CVE-2025-26263 - GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less, is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe process.
To perform successful attack an attacker requires:
- System level access to the GV-ASManager windows desktop application with the version 6.1.2.0 or less;
- A high privilege account to dump the memory.
The vulnerability can be leveraged to perform the following unauthorized actions:
- An attacker with high privilege system user, who isn't authorized to access GeoVision ASManager, is able to:
- Dump ASManager accounts credentials;
- Authenticate in ASManager.
- After the authenticating in ASManager, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
Credentials leakage in memory can be dumped and found with two methods: • Account which has been authenticated in the software at least once; • Account has never been authenticated in the software, but an attacker is able to trigger memory allocation by triggering it with "Forget Password?" function;
The application runs at system startup
If the account was authenticated at least one time in the software installed in the system we have local access to:
Account which has been authenticated in the software at least once:
Searching username "test" and the related random part "YuYRV6" that has been added to Username. As it is visible there was added a randomized string "YuYRV6" to the username test, which can be used to find related password.
Searching "YuYRV6" in the dumped memory which should be added to the related password for the "test" account
Dumping password for account "test"
It seems "Test123!" is the password for account test. If an account has never been authenticated in the software, an attacker is able to trigger memory allocation by triggering it with "Forget Password?" function and then dump the credentials leaked in memory: If there is account that has never been authenticated in the software, we can trigger software to allocate the data in the memory by using "Forget Password?" function:
Using Password recovery function for Administrator user
Software couldn't send the password recovery email
Dumping memory allocated to ASManagerService.exe and filtering with pattern "bstrpassword"
Administrator password leaked in memory
It seems "StrongestPass@999" is the password for account Administrator.
If you have a question, you can contact me, Giorgi Dograshvili on LinkedIn.