CVE-2018-1149
published 2018-09-19CVE-2018-1149: cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests.
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
15.23%
96.3th percentile
cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nuuo | nuuo_nvrmini2 | — | — |
| nuuo | nvrmini2_firmware | <= 3.8.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP requests to /cgi-bin/cgi_system with an oversized PHPSESSID cookie value (well beyond normal session ID length of 32 hex chars) ↗
- →Alert on HTTP requests to /cgi-bin/cgi_system?cmd=portCheck (or any cmd parameter) carrying a PHPSESSID cookie significantly longer than 32 characters, indicative of stack buffer overflow attempt ↗
- →Monitor for unauthenticated access to /users_xml.php with cmd=changepwd query parameters, which indicates exploitation of the backdoor (CVE-2018-1150) to change user passwords ↗
- →The overflow occurs in sprintf when building a /tmp/ session filename from the unsanitized PHPSESSID cookie; monitor sprintf calls or stack canary violations in the cgi_system process ↗
- ·Camera credentials for all connected cameras are stored in plaintext on disk at /mtd/block4/NUUO/etc/camera.ini and are exposed upon successful exploitation ↗
- ·NUUO OEMs and whitelabels its software to third-party vendors; the full list of affected third-party vendors is unknown, broadening the attack surface beyond NVRMini2 branded devices ↗
- ·All NVRMini2 and NVRsolo versions 3.8.0 and prior are affected; public exploits are available per CISA advisory ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wrq3-jg5x-9pp3: cgi_system in NUUO's NVRMini2 3
ghsa_unreviewed·2022-05-14
CVE-2018-1149 [CRITICAL] CWE-119 GHSA-wrq3-jg5x-9pp3: cgi_system in NUUO's NVRMini2 3
cgi_system in NUUO's NVRMini2 3.8.0 and below allows remote attackers to execute arbitrary code via crafted HTTP requests.
CISA ICS
NUUO NVRmini2 and NVRsolo
cisa_ics·2018-10-11·CVSS 9.8
[CRITICAL] NUUO NVRmini2 and NVRsolo
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
NUUO NVRmini2 and NVRsolo
Last RevisedOctober 11, 2018
Alert CodeICSA-18-284-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 10.0
- ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available
- Vendor: NUUO
- Equipment: NVRmini2, NVRsolo
- Vulnerabilities: Stack-based Buffer Overflow, Leftover Debug Code
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution and user account modification.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Nuuo NVRmini2 and
No detection rules found.
No public exploits indexed.
Tenable
[R2] Multiple NUUO NVRMini2 Vulnerabilities
blogs_tenable·2018-09-17
[R2] Multiple NUUO NVRMini2 Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder
blogs_tenable·2018-09-17
Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder
Blog / Research
Subscribe
# Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder
Tenable Research
September 17, 2018
5 Min Read
Tenable Research has discovered a critical vulnerability named Peekaboo permitting remote code execution in IoT network video recorders for video surveillance systems that would allow attackers to remotely view feeds and tamper with recordings. On September 19, NUUO released version 3.9.1 to address the Peekaboo vulnerability. Affected users are urged to update their NVRMini2 devices as soon as possible. The update can be downloaded from their website here.
Tenable Research discovered two vulnerabilities in NUUO’s Network Video Recorder software. The first is a critical unauthenticated stack buffer overflow and the second
Tenable
Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder
blogs_tenable·2018-09-17
Tenable Research Advisory: Peekaboo Critical Vulnerability in NUUO Network Video Recorder
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2018-11624 ImageMagick: use after free in ReadMATImage function in coders/mat.c
bugzilla·2018-05-31·CVSS 8.8
CVE-2018-11624 [HIGH] CVE-2018-11624 ImageMagick: use after free in ReadMATImage function in coders/mat.c
CVE-2018-11624 ImageMagick: use after free in ReadMATImage function in coders/mat.c
A flaw was found in ImageMagick 7.0.7-36 Q16, the ReadMATImage function in coders/mat.c allows attackers to cause a use after free via a crafted file.
References:
https://github.com/ImageMagick/ImageMagick/issues/1149
Patch:
https://github.com/ImageMagick/ImageMagick6/commit/172d82afe89d3499ef0cab06dc58d380cc1ab946
Discussion:
Created ImageMagick tracking bugs for this issue:
Affects: fedora-all [bug 1584900]
---
Statement:
This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 5, 6, and 7.
http://www.securityfocus.com/bid/105720https://github.com/tenable/poc/tree/master/nuuo/nvrmini2https://www.nuuo.com/backend/CKEdit/upload/files/NUUO_NVRsolo_v3_9_1_Release%20note.pdfhttps://www.tenable.com/security/research/tra-2018-25http://www.securityfocus.com/bid/105720https://github.com/tenable/poc/tree/master/nuuo/nvrmini2https://www.nuuo.com/backend/CKEdit/upload/files/NUUO_NVRsolo_v3_9_1_Release%20note.pdfhttps://www.tenable.com/security/research/tra-2018-25
2018-09-19
Published