CVE-2016-5674
published 2016-08-31CVE-2016-5674: __debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1…
PriorityP191critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
94.61%
99.8th percentile
__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| netgear | readynas_surveillance | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrmini_2 | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
| nuuo | nvrsolo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /__debugging_center_utils___.php with a `log` parameter containing a shell command injection payload (semicolon-prefixed OS command). Response body will contain 'Debugging Center' and command output (e.g., uid=/gid= pattern for Linux, 'Windows IP' for Windows). ↗
- →Successful exploitation response body contains the string 'Debugging Center' alongside command execution output. Match on HTTP 200 status code combined with this body string. ↗
- →FOFA/Shodan fingerprinting queries to identify exposed NUUO NVR and ReadyNAS Surveillance devices: app="NUUO-NVRmini", app="NUUO-NVR", or title="Network Video Recorder Login". ↗
- →Exploitation is unauthenticated (no credentials required). Successful exploitation yields code execution as root on NVRmini or as 'admin' on ReadyNAS. ↗
- ·The vulnerability affects a specific version range. NUUO NVRmini 2 and NVRsolo versions 1.7.5–3.0.0, and NETGEAR ReadyNAS Surveillance versions 1.1.1–1.4.1 are confirmed vulnerable. Devices outside these ranges may not be affected. ↗
- ·The Metasploit module notes the exploit has been tested on NVRmini 2 and ReadyNAS Surveillance but has NOT been tested on NVRsolo or other Nuuo devices, though it probably works on them. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fx93-287m-8f7q: __debugging_center_utils___
ghsa_unreviewed·2022-05-17
CVE-2016-5674 [CRITICAL] CWE-20 GHSA-fx93-287m-8f7q: __debugging_center_utils___
__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
VulnCheck
NETGEAR readynas_surveillance Improper Input Validation
vulncheck·2016·CVSS 9.8
CVE-2016-5674 [CRITICAL] NETGEAR readynas_surveillance Improper Input Validation
NETGEAR readynas_surveillance Improper Input Validation
__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
Affected: NETGEAR readynas_surveillance
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-23&host_type=src&vulnerability=cve-2016-5674; https://dashboard.shadowserver.org/statistics/honeypot
No detection rules found.
Exploit-DB
NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
exploitdb·2016-08-05
CVE-2016-5680 NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS Surveillance application
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 04/08/2016 / Last updated: 04/08/2016
>> Background on the affected products:
"NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy har
Metasploit
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution
metasploit
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution
NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance Unauthenticated Remote Code Execution
The NVRmini 2 Network Video Recorder and the ReadyNAS Surveillance application are vulnerable to an unauthenticated remote code execution on the exposed web administration interface. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.
Nuclei
NUUO NVR camera `debugging_center_utils_.php` - Command Execution
nuclei·CVSS 9.8
CVE-2016-5674 [CRITICAL] NUUO NVR camera `debugging_center_utils_.php` - Command Execution
NUUO NVR camera `debugging_center_utils_.php` - Command Execution
__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
Template:
id: CVE-2016-5674
info:
name: NUUO NVR camera `debugging_center_utils_.php` - Command Execution
author: DhiyaneshDK
severity: critical
description: |
__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
impact: |
Attackers can execute arbitrary PHP code remotely without authentication through command
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Fortinet
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
blogs_fortinet·2022-04-01·CVSS 9.8
[CRITICAL] Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
FORTIGUARD LABS THREAT RESEARCH
Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
By Joie Salvio and Roy Tay | April 01, 2022
Between February and March 2022, our FortiGuard Labs team observed that the Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Five new exploits were added within a month, with three targeting various models of TOTOLINK routers.
This inclusion of TOTOLINK exploits is especially noteworthy as they were added just a week after the exploit codes were published on GitHub. We previously reported on the MANGA campaign, which similarly adopted exploit code within weeks of their release.
By rapidly adopting newly released exploit code, threat actors can potentially infect vulnerable devices and expan
2016-08-31
Published
Exploited in the wild