📄 Description (English)
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in deserialization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-4860 is a high-severity deserialization vulnerability in wvp-GB28181-pro (up to v2.7.4) affecting the Redis serialization component. The flaw allows remote attackers to execute arbitrary code through malicious serialized objects via the API endpoint. With no patch available and public exploit disclosure, this poses immediate risk to organizations using this video surveillance platform.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 6, 2026 15:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi critical infrastructure sectors: (1) Government surveillance systems under NCA oversight for national security monitoring; (2) Banking sector video surveillance for branch security and transaction monitoring (SAMA-regulated); (3) Healthcare facilities using GB28181 for patient area monitoring and security; (4) Energy sector (ARAMCO and utilities) for facility surveillance; (5) Telecommunications infrastructure (STC, Mobily) for network facility monitoring. The lack of vendor response and public exploit availability elevates risk significantly for organizations that cannot immediately upgrade.
🏢 Affected Saudi Sectors
Government & National Security
Banking & Financial Services
Healthcare
Energy & Utilities
Telecommunications
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of wvp-GB28181-pro in your environment and isolate affected systems from production networks if possible
2. Implement network segmentation to restrict API endpoint access to trusted internal networks only
3. Disable remote API access if not operationally critical; use VPN/bastion hosts for required access
4. Monitor Redis connections for suspicious deserialization attempts
COMPENSATING CONTROLS (until patch available):
5. Deploy WAF rules to block suspicious serialized object patterns in API requests
6. Implement strict input validation on all API endpoints accepting serialized data
7. Use Redis authentication with strong credentials and network ACLs
8. Enable Redis command filtering to restrict dangerous operations
9. Implement rate limiting on API endpoints
DETECTION:
10. Monitor for Java deserialization gadget chains (ysoserial patterns) in network traffic
11. Alert on unexpected process execution from Java/Redis processes
12. Log all API calls to GenericFastJsonRedisSerializer endpoint
13. Monitor for unusual Redis command sequences or large serialized payloads
LONG-TERM:
14. Evaluate alternative GB28181 implementations with active security support
15. Plan migration away from wvp-GB28181-pro if vendor remains unresponsive
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نسخ wvp-GB28181-pro في بيئتك وعزل الأنظمة المتأثرة عن شبكات الإنتاج إن أمكن
2. طبق تقسيم الشبكة لتقييد وصول نقطة نهاية API إلى الشبكات الداخلية الموثوقة فقط
3. عطّل وصول API البعيد إذا لم يكن حرجاً تشغيلياً؛ استخدم VPN أو أجهزة bastion للوصول المطلوب
4. راقب اتصالات Redis للكشف عن محاولات فك التسلسل المريبة
الضوابط التعويضية (حتى توفر التصحيح):
5. نشر قواعد WAF لحظر أنماط الكائنات المسلسلة المريبة في طلبات API
6. طبق التحقق الصارم من المدخلات على جميع نقاط نهاية API التي تقبل البيانات المسلسلة
7. استخدم مصادقة Redis بأوراق اعتماد قوية وقوائم تحكم الوصول للشبكة
8. فعّل تصفية أوامر Redis لتقييد العمليات الخطرة
9. طبق تحديد معدل على نقاط نهاية API
الكشف:
10. راقب سلاسل gadget فك التسلسل في Java (أنماط ysoserial) في حركة المرور
11. أصدر تنبيهات عند تنفيذ عمليات غير متوقعة من عمليات Java/Redis
12. سجل جميع استدعاءات API إلى نقطة نهاية GenericFastJsonRedisSerializer
13. راقب تسلسلات أوامر Redis غير العادية أو الحمولات المسلسلة الكبيرة
المدى الطويل:
14. قيّم تطبيقات GB28181 البديلة مع دعم أمان نشط
15. خطط للهجرة بعيداً عن wvp-GB28181-pro إذا ظل البائع غير مستجيب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development policy (vendor unresponsiveness)
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.3.1 - Segregation of networks
ECC 2024 A.14.2.5 - Secure system architecture and engineering principles
🔵 SAMA CSF
Governance & Risk Management - Vulnerability Management
Protection & Defense - Secure Software Development
Detection & Response - Threat Detection and Analysis
Resilience - Business Continuity Planning
🟡 ISO 27001:2022
A.12.2.1 - Monitoring and review of information systems
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.14.2.5 - Secure system architecture and engineering principles
A.8.1.1 - User endpoint devices
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 6.5.1 - Injection flaws
Requirement 11.2 - Vulnerability scanning