An insufficient encryption vulnerability exists in GeoVision GV-IP Device Utility 9.0.5 that allows credential theft through broadcast packet interception. The vulnerability occurs in the Device Authentication functionality where privileged commands are sent over UDP with encrypted username/password pairs using a Blowfish-derived protocol. However, the symmetric encryption key is included in the same packet, making the encryption rely solely on obscurity. Attackers on the same LAN can intercept broadcast traffic when administrators interact with devices and decrypt the credentials using their own algorithm implementation. With these stolen credentials, attackers gain full control over device configuration, including the ability to change IP addresses or reset devices to factory defaults.