cbcvebase.
CVE-2018-14933
published 2018-08-04

CVE-2018-14933: upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-01-08
Exploited in the wild
EPSS
93.75%
99.8th percentile
upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

Affected

1 ranges
VendorProductVersion rangeFixed in
nuuonvrmini_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/upgrade_handle.php
url/upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;id;%27
commandcmd=writeuploaddir&uploaddir=';id;'
commanduploaddir=|| whoami
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; fast_pattern; startswith; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/46340; reference:cve,2018-14933; classtype:attempted-admin; sid:2058393; rev:1; metadata:affected_product NUOO, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_18, cve CVE_2018_14933, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
yara
regex: uid=[0-9]+.*gid=[0-9]+.*
  • Detect GET requests to /upgrade_handle.php with cmd=writeuploaddir and shell metacharacters (;, |, `, $, newline) in the uploaddir parameter — the core injection vector for CVE-2018-14933.
  • The Snort/ET rule (sid:2058393) matches GET requests where the URI starts with /upgrade_handle.php?cmd=writeuploaddir&uploaddir= followed by any of the encoded/raw metacharacters: ; (%3B), newline (%0A), backtick (%60), pipe (%7C), dollar sign (%24).
  • The bypass technique for the patched version uses logical operators (e.g., ||) instead of semicolons, since the patch only filters semicolons via strpos($uploaddir, ';').
  • For vulnerability scanning/detection, a response body matching uid=[0-9]+.*gid=[0-9]+.* with HTTP 200 confirms successful command injection (id command output).
  • Shodan/FOFA queries for exposed NUUO NVRmini devices: shodan-query title:"NUUO", fofa-query title="NUUO".
  • The unpatched version is exploitable unauthenticated; the patched version requires authentication but is still injectable via logical operators — both variants target the same URI and parameter.
  • ·NUUO NVRmini 2 and NVRsolo series are end-of-life/end-of-service; no further patches are expected. Detection and blocking are the only mitigations.
  • ·The semicolon filter (strpos check) in the patched firmware only blocks ';' — other shell metacharacters including ||, |, backtick, $(), and newline remain uninspected by the application-level filter.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.