⚠ Actively exploited

Added to CISA KEV on 2024-12-18. Federal agencies required to patch by 2025-01-08. Required action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product..

CVE-2022-23227 — Missing Authentication for Critical Function in Nvrmini2 Firmware

CWE-306 — Missing Authentication for Critical Function6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

53.5%

top 2.01%

CISA KEV

KEV

Added 2024-12-18

Due 2025-01-08

Exploit

Exploited in wild

Active exploitation observed

Affected products

Nuuo Nvrmini2 Firmware

Timeline

PublishedJan 14

KEV addedDec 18

KEV dueJan 8

Latest updateJan 22

CISA Required Action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.

Description

NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDnuuo/nvrmini2_firmware3.11.0

🔴Vulnerability Details

GHSA

GHSA-5f63-p3w5-jphc: NUUO NVRmini2 through 3↗2022-01-15

▶

VulnCheck

NUUO NVRmini2 Devices Missing Authentication Vulnerability↗2022

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Nuuo NVRmini/NVRsolo handle_import_user.php Unauthenticated Remote Code Execution Attempt (CVE-2022-23227)↗2025-01-22

▶

📋Vendor Advisories

CISA

NUUO NVRmini2 Devices Missing Authentication Vulnerability↗2024-12-18

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter January 2025↗

▶