CVE-2018-14933
published 2018-08-04CVE-2018-14933: upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-01-08
Exploited in the wild
EPSS
93.75%
99.8th percentile
upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nuuo | nvrmini_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; fast_pattern; startswith; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/46340; reference:cve,2018-14933; classtype:attempted-admin; sid:2058393; rev:1; metadata:affected_product NUOO, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_18, cve CVE_2018_14933, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
yara↗
regex: uid=[0-9]+.*gid=[0-9]+.*
- →Detect GET requests to /upgrade_handle.php with cmd=writeuploaddir and shell metacharacters (;, |, `, $, newline) in the uploaddir parameter — the core injection vector for CVE-2018-14933. ↗
- →The Snort/ET rule (sid:2058393) matches GET requests where the URI starts with /upgrade_handle.php?cmd=writeuploaddir&uploaddir= followed by any of the encoded/raw metacharacters: ; (%3B), newline (%0A), backtick (%60), pipe (%7C), dollar sign (%24).
- →The bypass technique for the patched version uses logical operators (e.g., ||) instead of semicolons, since the patch only filters semicolons via strpos($uploaddir, ';'). ↗
- →For vulnerability scanning/detection, a response body matching uid=[0-9]+.*gid=[0-9]+.* with HTTP 200 confirms successful command injection (id command output).
- →Shodan/FOFA queries for exposed NUUO NVRmini devices: shodan-query title:"NUUO", fofa-query title="NUUO".
- →The unpatched version is exploitable unauthenticated; the patched version requires authentication but is still injectable via logical operators — both variants target the same URI and parameter. ↗
- ·NUUO NVRmini 2 and NVRsolo series are end-of-life/end-of-service; no further patches are expected. Detection and blocking are the only mitigations. ↗
- ·The semicolon filter (strpos check) in the patched firmware only blocks ';' — other shell metacharacters including ||, |, backtick, $(), and newline remain uninspected by the application-level filter. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xqgh-qj2v-fjfx: upgrade_handle
ghsa_unreviewed·2022-05-13
CVE-2018-14933 [CRITICAL] CWE-78 GHSA-xqgh-qj2v-fjfx: upgrade_handle
upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.
VulnCheck
NUUO NVRmini Devices OS Command Injection Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-14933 [CRITICAL] CWE-78 NUUO NVRmini Devices OS Command Injection Vulnerability
NUUO NVRmini Devices OS Command Injection Vulnerability
NUUO NVRmini devices contain an OS command injection vulnerability. This vulnerability allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.
Affected: NUUO NVRmini Devices
Required Action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
Exploitation References: https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2025-01-08
CISA
NUUO NVRmini Devices OS Command Injection Vulnerability
cisa·2024-12-18·CVSS 9.8
CVE-2018-14933 [CRITICAL] CWE-78 NUUO NVRmini Devices OS Command Injection Vulnerability
Vulnerability: NUUO NVRmini Devices OS Command Injection Vulnerability
Affected: NUUO NVRmini Devices
NUUO NVRmini devices contain an OS command injection vulnerability. This vulnerability allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.
Required Action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
Notes: https://nuuo.com/wp-content/uploads/2023/03/NUUO-EOL-letter%EF%BC%BFNVRmini-2-and-NVRsolo-series.pdf ; https://nvd.nist.gov/vuln/detail/CVE-2018-14933
Remediation Due Date: 2025-01-08
Suricata
ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933)
suricata·2024-12-18·CVSS 9.8
CVE-2018-14933 [CRITICAL] ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933)
ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; fast_pattern; startswith; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/46340; reference:cve,2018-14933; classtype:attempted-admin; sid:2058393; rev:1; metadata:affected_product NUOO, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_18, cve CVE_2018_14933, deployment Perimeter, deployme
Exploit-DB
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)
exploitdb·2019-02-11
CVE-2018-14933 NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'NUUO NVRmini upgrade_handle.php Remote Command Execution',
'Description' => %q{
This exploits a vulnerability in the web application of NUUO NVRmini IP camera,
which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Berk Dusunur', # @berkdusunur
'numan turle' # @numanturle
],
'References' =>
[
['URL', 'https://www.berkdusunur.net/2018/11/development-of-metasploit-module-after.html'],
['URL', 'https://www.tenable.com/security/research/tra-2018-41'],
['CVE', '2018-14933'],
['ED
Metasploit
NUUO NVRmini upgrade_handle.php Remote Command Execution
metasploit
NUUO NVRmini upgrade_handle.php Remote Command Execution
NUUO NVRmini upgrade_handle.php Remote Command Execution
This exploits a vulnerability in the web application of NUUO NVRmini IP camera, which can be done by triggering the writeuploaddir command in the upgrade_handle.php file.
Nuclei
NUUO NVRmini - Remote Command Execution
nuclei·CVSS 9.8
CVE-2018-14933 [CRITICAL] NUUO NVRmini - Remote Command Execution
NUUO NVRmini - Remote Command Execution
NUUO NVRmini is vulnerable to unauthenticated remote command execution through the upgrade_handle.php file. The vulnerability allows an attacker to execute arbitrary commands by manipulating the uploaddir parameter.
Template:
id: CVE-2018-14933
info:
name: NUUO NVRmini - Remote Command Execution
author: ritikchaddha
severity: critical
description: |
NUUO NVRmini is vulnerable to unauthenticated remote command execution through the upgrade_handle.php file. The vulnerability allows an attacker to execute arbitrary commands by manipulating the uploaddir parameter.
impact: |
Unauthenticated attackers can execute arbitrary commands on the NUUO NVRmini device by manipulating the uploaddir parameter in upgrade_handle.php, leading to complete device comp
Tenable
[R1] NUUO NVRMini2 Authenticated Command Injection
blogs_tenable·2018-11-29
[R1] NUUO NVRMini2 Authenticated Command Injection
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2018-08-04
Published
2024-12-18
Added to CISA KEV
Exploited in the wild