cbcvebase.
CVE-2021-41419
published 2022-07-18

CVE-2021-41419: QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.81%
93.2th percentile
QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.

Affected

2 ranges
VendorProductVersion rangeFixed in
qvisdvr_firmware< 2021-12-132021-12-13
qvisnvr_firmware< 2021-12-132021-12-13

Detection & IOCsextracted from sources · hover to see the quote

url/qvisdvr/
url/qvisdvr/index.faces
path/qvisdvr/index.faces
cookieJSESSIONID
otherjavax.faces.ViewState
  • Exploit targets POST to /qvisdvr/index.faces with a serialized Java payload in the javax.faces.ViewState parameter using the commons-collections3.1 gadget chain (base64-encoded).
  • Successful exploitation results in an HTTP 500 response from the server; monitor for 500 status codes on POST requests to /qvisdvr/index.faces.
  • Attacker performs an initial GET to /qvisdvr/ to harvest a JSESSIONID cookie, then replays it in the exploit POST — look for this two-step request pattern from the same source IP.
  • Content-Type is application/x-www-form-urlencoded on the exploit POST; anomalous base64-encoded javax.faces.ViewState values in form bodies targeting QVIS DVR endpoints should be treated as suspicious.
  • Out-of-band callback (OAST/interactsh) is used to confirm code execution; monitor for unexpected outbound HTTP/DNS from QVIS NVR/DVR devices.
  • ·The exploit uses the commons-collections3.1 Java deserialization gadget chain; the target device must have this library on its classpath for the payload to execute.
  • ·Vulnerability affects QVIS NVR DVR firmware versions before 2021-12-13 only; patched devices are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.