June 30, 2026
Post auth RCE in GeoSIG seismological equipment (GMSplus)
In this quick post i would like to detail a vulnerability found in the GeoSIG devices specifically the GSMPlus netquake recorder
By @bertinjoseb
3 min read
Geosig is a swiss company in the earthquake/seismological industry producing equipment for record and meassure seismic activity
As an ISO certified company, GeoSIG is a world leader in design and manufacture of a diverse range of high quality, precision instruments for vibration and earthquake monitoring.
The brand provides a considerable ammount of products for the seismic research industry, from accelerometers seismometer recorders and so on.. many of them comes with webserver enable for remote access monitoring and configuration changes, so potentially we could find some bugs in the web application
Geosig equipment is fully charged with network access and monitoring options , so potentially they could be found in the internet exposed .
The following is how i end up finding geosig equipment in the internet
There is a search engine called https://www.icstracker.io/ which task is find ICS/OT devices exposed in the internet , main goal is find all web applications from those devices and take screenshots as well ssl certificates html code and other data available
Screenshots helps to identify all those hidden panels in the internet, is not only just data from a search engine is something visual that sometimes helps uncovered cool devices eficiently , very valuable for those who likes internet safari and also people interested in the ICS/OT devices exposure in the internet.
One day i found the following image on the website so i decided to take a look in the internet for more information, so in the official geosig website you can find manuals for their devices and also the default credentials admin:123456
In icstracker you can find the html code so in order to find them you can use the following to find some of them html:screen.deviceXDPI https://www.icstracker.io/results/?q=html%3Ascreen.deviceXDPI&page=1
After trying admin:123456 the web application grants access because is the default user according official documentation, this user is running with full priviledges, such equipment shouldn't be exposed this way in the internet with default credentials , the main screen of the GMSPlus looks llike this , options like configuration maintenence help and so on..
Mainteneince definitely caught my atention in first place beacuse because is very common to find OS command injection vulnerabilites when user input is not properly sanitized in options for example PING, injecting a ";command" potentially could lead to RCE
After first try we confirmed we have a full OS command injection in the PING module , and even worse is running as root so no need for priviledge escalation.
GG
Use CVE-2025–45672.
CVE was requested and assign months later after discover the issue, GEOsig was reached many times but unfortunatley they never reply back, my intention is not to damage brand reputation but they should take care of equipment security more seriously.
Thanks
