CVE-2026-4860 identifies a security vulnerability in the wvp-GB28181-pro software, versions 2.7.0 through 2.7.4, developed by vendor 648540858. The issue resides in the GenericFastJsonRedisSerializer class within the RedisTemplateConfig.java file, part of the API endpoint component. This vulnerability stems from insecure deserialization, where untrusted input is processed by the FastJson library used for Redis serialization and deserialization. An attacker can remotely send crafted data to the API endpoint, triggering deserialization of malicious payloads without authentication or user interaction. This can lead to unauthorized code execution or manipulation of application state, impacting confidentiality, integrity, and availability. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality, integrity, and availability. The vendor was notified early but has not issued a patch or response. Public exploit code has been released, raising the urgency for mitigation despite no confirmed active exploitation. The vulnerability affects a niche IoT video management platform, which may be deployed in surveillance and security environments.

The vulnerability allows remote attackers to exploit insecure deserialization in a critical API component, potentially leading to unauthorized code execution or manipulation of system data. This can compromise the confidentiality of sensitive video streams or configuration data, integrity of system operations, and availability of the video management service. Organizations relying on wvp-GB28181-pro for surveillance or IoT device management could face service disruptions, data breaches, or lateral movement by attackers. The lack of authentication and user interaction requirements lowers the barrier to exploitation, increasing risk. Although the CVSS score is medium, the impact on critical infrastructure such as security monitoring systems could be significant. The public availability of exploit code further elevates the threat, increasing the likelihood of opportunistic attacks. The absence of vendor patches means organizations must rely on alternative mitigations to reduce exposure.

1. Immediately isolate and monitor all instances of wvp-GB28181-pro versions 2.7.0 through 2.7.4 to detect suspicious API requests indicative of deserialization attacks. 2. Implement network-level access controls restricting inbound traffic to the API endpoint only from trusted sources and management networks. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious serialized payloads targeting FastJson deserialization patterns. 4. Where feasible, disable or replace the vulnerable GenericFastJsonRedisSerializer component with safer serialization libraries or configurations that enforce strict input validation and type whitelisting. 5. Conduct thorough code reviews and penetration testing focused on deserialization vectors in the affected software. 6. Maintain strict logging and alerting on deserialization errors or anomalies in Redis interactions. 7. Engage with the vendor or community for updates or unofficial patches, and plan for upgrade or migration to patched versions once available. 8. Educate security teams about this vulnerability and prepare incident response plans for potential exploitation scenarios. 9. Consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real time.