cbcvebase.
CVE-2022-23227
published 2022-01-14

CVE-2022-23227: NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-01-08
Exploited in the wild
EPSS
49.43%
98.7th percentile
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.

Affected

1 ranges
VendorProductVersion rangeFixed in
nuuonvrmini2_firmware<= 3.11.0

Detection & IOCsextracted from sources · hover to see the quote

pathhandle_import_user.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nuuo NVRmini/NVRsolo handle_import_user.php Unauthenticated Remote Code Execution Attempt (CVE-2022-23227)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"handle_import_user.php"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|upload_file|22 3b 20|filename|3d 22|"; reference:cve,2022-23227; reference:url,github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd; classtype:attempted-admin; sid:2059444; rev:1; metadata:affected_product NUOO, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_01_22, cve CVE_2022_23227, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_01_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
Content-Disposition: form-data; name="upload_file"; filename="
  • Look for unauthenticated HTTP POST requests to handle_import_user.php — no session/auth cookie or token should be present in the request
  • Inspect multipart form-data POST bodies to handle_import_user.php for a file upload field named 'upload_file' — this is the delivery mechanism for the malicious encrypted TAR archive
  • Chain detection with CVE-2011-5325 (TAR path traversal) indicators — exploitation of CVE-2022-23227 alone enables user addition, but chaining with CVE-2011-5325 enables arbitrary file overwrite under web root and root RCE
  • Restrict detection to plaintext (non-TLS) HTTP traffic per rule metadata; the attack does not use encrypted transport
  • Deploy the Snort/Suricata rule (ET sid:2059444) at both perimeter and internal network segments as indicated by rule metadata
  • ·NUUO NVRmini2 is end-of-life/end-of-service; no patch will be issued. Detection and network isolation are the only mitigations available.
  • ·The vulnerability affects NUUO NVRmini2 through firmware version 3.11; scope detection rules accordingly to avoid false positives on other devices

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.