cbcvebase.
CVE-2016-5675
published 2016-08-31

CVE-2016-5675: handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
70.88%
99.3th percentile
handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the NTPServer parameter.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
netgearreadynas_surveillance
netgearreadynas_surveillance
netgearreadynas_surveillance
netgearreadynas_surveillance
netgearreadynas_surveillance
netgearreadynas_surveillance
netgearreadynas_surveillance
netgearreadynas_surveillance
nuuocrystal
nuuocrystal
nuuocrystal
nuuocrystal
nuuonvrmini_2
nuuonvrmini_2
nuuonvrmini_2
nuuonvrmini_2
nuuonvrmini_2
nuuonvrsolo
nuuonvrsolo
nuuonvrsolo
nuuonvrsolo
nuuonvrsolo
nuuonvrsolo
nuuonvrsolo
nuuonvrsolo

Detection & IOCsextracted from sources · hover to see the quote

pathhandle_daylightsaving.php
otherNTPServer (PHP code injection parameter)
  • Monitor HTTP requests targeting handle_daylightsaving.php with a NTPServer parameter containing PHP code or shell metacharacters, indicating exploitation of CVE-2016-5675.
  • Successful exploitation results in code execution as root on NVRmini/Crystal or as the 'admin' user on ReadyNAS Surveillance; monitor for unexpected privileged process spawning from the web server process.
  • Exploitation requires valid administrative credentials; correlate admin-authenticated sessions to the web interface immediately followed by requests to handle_daylightsaving.php.
  • ·Exploitation requires authentication with an administrative account; unauthenticated attackers cannot directly exploit this vulnerability.
  • ·The Metasploit module targets NVRmini 2, Crystal, and ReadyNAS Surveillance; NVRsolo and other NUUO devices are suspected vulnerable but have not been confirmed tested.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.