eastbaycyber

CVE-2026-13125: GeoVision GeoWebPlayer WebSocket Vulnerability

CVE explainers 10 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-07-02
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-13125
CVSS score 8.8 (High)
Attack vector Local WebSocket exposure reachable from a malicious website
Auth required No
Patch status Not confirmed from retrieved primary sources

TL;DR - GeoVision GeoWebPlayer exposes a local WebSocket server without authentication. - Users running GV-VMS or GV-Cloud VMS helper components may be at risk from malicious websites. - Treat as high priority even though fixed versions and in-the-wild exploitation are not yet confirmed.

What this vulnerability is and why it matters

CVE-2026-13125 affects GeoVision Inc. GeoWebPlayer, a helper component also referred to in GeoVision materials as Web Plugin for GV-VMS and WS Player for GV-Cloud VMS. According to the NVD description, the component creates a local WebSocket server to extend browser-based interfaces. The core security issue is straightforward: the WebSocket service does not require authentication before exposing sensitive APIs.

That design failure matters because it breaks a boundary many organizations still implicitly trust: the path from a website in the user’s browser to a service listening on the user’s local machine. If a user visits a malicious site while the GeoVision helper is installed and running, that site may be able to open a connection to the local WebSocket service and call exposed methods. NVD specifically says an attacker can chain the create method with getScreenCapture to retrieve the contents of the user’s screen.

For practitioners, the practical impact is larger than “just” a desktop screenshot. In environments where GV-VMS or GV-Cloud VMS is used for physical security, surveillance review, control room workflows, or central monitoring, a screen capture can reveal camera feeds, maps, operator credentials, internal dashboards, alarm details, or other sensitive visual information. If the target workstation is used for both security operations and general web browsing, the attack surface is especially concerning.

The issue is also notable because it does not require traditional endpoint compromise. The described path is closer to a browser-to-localhost abuse case, where the local helper application becomes the vulnerable asset and the malicious website becomes the delivery vehicle. Even if exploitation is limited to local user context, the confidentiality impact can still be severe.

AnalystImpact · assess the risk

Affected products and versions

The confirmed affected component is GeoWebPlayer, which GeoVision documentation and product materials also refer to as Web Plugin and WS Player depending on the product line. The NVD description explicitly ties the addon to GV-VMS and GV-Cloud deployments. Based on the research note, the naming is consistent across NVD, GeoVision’s security portal, and GeoVision’s GV-Cloud VMS documentation and download pages.

What is not confirmed from the retrieved materials is the exact vulnerable version range. At this time, the defensible statement is:

Item Status
Vendor GeoVision Inc.
Affected component GeoWebPlayer / Web Plugin / WS Player
Associated products GV-VMS, GV-Cloud VMS
Exact affected version range Not disclosed in retrieved sources
Fixed version Not confirmed in retrieved sources

A GeoVision download page surfaced in the research shows “WS Player V1.1.1”, but that alone does not establish whether WS Player V1.1.1 is vulnerable or fixed. Because no vendor advisory with version boundaries was available in the provided source set, defenders should avoid assuming that the latest visible download is safe. In the absence of explicit version guidance, the safer working assumption is that any installed GeoWebPlayer / Web Plugin / WS Player instance associated with GV-VMS or GV-Cloud VMS may require review and mitigation.

This is an important operational nuance. Security teams often want a simple “upgrade from X to Y” answer, but for CVE-2026-13125 that information is not yet available from the materials provided. If you manage GeoVision systems, inventory the helper component directly rather than relying only on the parent VMS application version.

Severity and exploitation status

CVE-2026-13125 has a CVSS v3.x base score of 8.8 (High). The full vector was not returned in the supplied NVD tooling output, so it would be inappropriate to reconstruct or guess it here. Still, the score aligns with the described impact: no authentication required, sensitive local functionality exposed, and direct screen capture possible.

At the time of writing, CISA KEV does not list CVE-2026-13125, which means there is no CISA-confirmed evidence in the provided data that this vulnerability is being exploited in the wild. That should not be read as “safe to defer.” KEV lag, limited vendor disclosure, and niche product targeting can all delay public exploitation signals.

The current evidence on exploitation can be summarized as follows:

Exploitation signal Status
Confirmed exploitation in the wild Not confirmed from retrieved sources
CISA KEV listing No
Public PoC Not verified from retrieved sources
Third-party research Cisco Talos reference exists: TALOS-2026-2370

There is also no verified public GitHub PoC in the source material provided. However, the NVD description is specific enough to outline a plausible attack sequence: connect to the unauthenticated WebSocket endpoint, call create, then call getScreenCapture. From a defender’s standpoint, that means you should assume exploit development effort is low to moderate even if a polished public PoC has not surfaced.

So what should defenders do now?

The immediate priority is to identify where the vulnerable helper component is installed. Unlike server-side CVEs that can be handled centrally, this issue may exist on operator desktops, review workstations, dispatch consoles, or administrative PCs that run browser-based GeoVision interfaces. Your asset inventory should include the GeoWebPlayer / Web Plugin / WS Player component, not just the GeoVision VMS platform itself.

Next, reduce exposure by treating the local WebSocket service as an attack surface that should not be available during normal browsing. If the helper is optional for some workflows, disable or uninstall it on endpoints that do not actively need browser-driven GeoVision functionality. If it is required, separate those workstations from general web activity where possible. Dedicated operator stations, kiosk restrictions, outbound filtering, and application control are all relevant compensating controls here.

Because a malicious website is the likely trigger, browser hygiene matters. Restrict internet access on security operator machines, block unapproved destinations, and consider isolating web access from surveillance operations. Even though the flaw resides in a local helper application, the browser is still part of the attack chain.

Finally, monitor GeoVision’s official security portal for a vendor advisory that confirms version boundaries and fixed builds. Since the retrieved materials do not provide an explicit remediation version, defenders should be prepared to validate any newly published package before broad rollout.

Technical context for security teams

From a root-cause perspective, CVE-2026-13125 is an example of a local service exposed to browser-originated requests without adequate trust controls. The missing authentication requirement is the central problem, but robust defenses in this design pattern usually also include origin validation, CSRF-resistant request handling, permission prompts, and strict feature-level authorization. The fact that getScreenCapture is reachable strongly suggests those controls were insufficient or absent.

For blue teams, this CVE is a reminder to review “helper” software with the same rigor applied to browsers, agents, and remote access tools. Surveillance and control software often ships with local brokers, plugins, or viewers that quietly expand the host’s attack surface. These components may not be internet-facing, but they can still be reachable from content rendered in a browser session.

The strongest immediate assumption is this: if a user runs a vulnerable GeoVision helper and visits a hostile site, local screen content may be exposed without traditional malware installation. That is enough to justify urgent review, isolation of affected workstations, and a push for vendor remediation details.

ResponderRunbook · act now

Detection and threat hunting

Detection for this issue is harder than for a typical network-facing service because the vulnerable endpoint is local to the host. That means host telemetry, browser telemetry, and process/network correlation are more useful than perimeter IDS alone. If you have EDR on operator workstations, focus on browser processes making loopback or local interface connections to a WebSocket service associated with GeoVision helper software.

You should also look for parent-child relationships or file paths that identify the helper component. If browser activity is followed by unusual local listener communication and then image capture or temporary file activity, that sequence deserves investigation. Since the NVD description specifically names create and getScreenCapture, any telemetry that captures WebSocket message content, local API logs, or debug traces should be searched for those strings.

Technical Notes

If Sysmon is deployed, start by hunting for browser connections to loopback listeners. The exact port is not confirmed in the source material, so query broadly for localhost and loopback traffic:

# Sysmon Event ID 3 in Microsoft-Windows-Sysmon/Operational
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" |
  Where-Object { $_.Id -eq 3 } |
  Where-Object {
    $_.Message -match "Image:.*(chrome|msedge|firefox|iexplore).exe" -and
    $_.Message -match "DestinationHostname:\s+(localhost|127\.0\.0\.1|::1)"
  } |
  Select-Object TimeCreated, Id, Message

Example log patterns to flag in process or network telemetry:

Image: C:\Program Files\Google\Chrome\Application\chrome.exe
DestinationHostname: 127.0.0.1
DestinationIp: 127.0.0.1
Protocol: tcp
Initiated: true

If you have proxy, browser, or EDR telemetry that captures script-driven WebSocket creation, hunt for suspicious localhost WebSocket usage from untrusted web origins:

// Example Microsoft Defender / Sentinel style hunting query
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("chrome.exe","msedge.exe","firefox.exe")
| where RemoteIP in ("127.0.0.1","::1")
   or RemoteUrl has "localhost"
| summarize count(), min(Timestamp), max(Timestamp) by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, InitiatingProcessCommandLine

Because the exact listener port and protocol details are not confirmed in the provided sources, defenders should baseline normal GeoVision helper traffic in a test environment and then refine detections around the actual port, process name, and WebSocket handshake patterns. In the absence of vendor logging guidance, assume endpoint-centric detection will be required.

Mitigation and patching

The most important limitation for CVE-2026-13125 is that the fixed version is not confirmed in the retrieved primary materials. There is also no verified vendor statement in the provided sources that establishes whether a patch is already available. As a result, mitigation must begin with compensating controls and controlled validation, not blind trust in a download labeled “latest.”

If GeoVision publishes an updated WS Player / Web Plugin / GeoWebPlayer package, validate that it explicitly references CVE-2026-13125 or corrects the authentication weakness on the local WebSocket service. Until then, defenders should assume the helper component remains risky on systems that browse untrusted websites. If business operations allow it, uninstall or disable the plugin on systems that do not require browser-based GeoVision functionality.

Segmentation is the next best control. Use dedicated workstations for GV-VMS or GV-Cloud VMS operations, restrict outbound browsing, and apply browser allowlisting. If operators must access the internet, consider virtualization or remote browser isolation to reduce the chance that a malicious page can interact directly with a locally installed helper.

Technical Notes

On Windows endpoints, first identify whether the component is installed. Since package naming may vary, search for all known names:

Get-ChildItem "C:\Program Files","C:\Program Files (x86)" -Recurse -ErrorAction SilentlyContinue |
  Where-Object { $_.Name -match "GeoWebPlayer|WS Player|Web Plugin" } |
  Select-Object FullName

If your environment manages software with PowerShell package inventory, try:

Get-Package | Where-Object { $_.Name -match "GeoWebPlayer|WS Player|Web Plugin|GeoVision" } |
  Select-Object Name, Version, ProviderName

If the component is not required, uninstall through standard software management. The exact uninstall string is environment-specific and not provided in the source materials, but on many Windows systems you can enumerate and invoke the registered uninstall command:

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* ,
                 HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
  Where-Object { $_.DisplayName -match "GeoWebPlayer|WS Player|Web Plugin" } |
  Select-Object DisplayName, DisplayVersion, UninstallString

If no patch is available and uninstall is not feasible, block the helper from starting where possible and restrict browser access on affected hosts. A basic application control approach could include disabling startup entries or service launch mechanisms tied to the plugin, but because the service name and binary path are not confirmed in the source set, test carefully before production changes.

For organizations using software deployment tools, the safe upgrade guidance is: upgrade only to a GeoVision-released version that explicitly addresses CVE-2026-13125. If that statement is absent, do not assume the package is remediated.

References

Source URL
NVD CVE record https://nvd.nist.gov/vuln/detail/CVE-2026-13125
GeoVision security portal https://www.geovision.com.tw/cyber_security.php
Cisco Talos report https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2370
GeoVision GV-Cloud VMS download page https://www.geovision.com.tw/download/product/GV-Cloud%20VMS
GeoVision GV-Cloud VMS manual https://dlcdn.geovision.com.tw/Manual/GV-Cloud/VMS/GV-Cloud_VMS_User_Manual.pdf

For additional insights on vulnerabilities and detection strategies, you can check our articles on CVE-2026-10561 and What is Sigma and how do I write a detection?.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-02

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.