Login Sign Up

CVE-2018-17888

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2018-17888 allows attackers to obtain active session IDs in NUUO CMS, potentially leading to remote code execution. This affects all versions 3.1 and prior of NUUO CMS, which is video management software used in physical security systems.

💻 Affected Systems

Products:
  • NUUO CMS
Versions: All versions 3.1 and prior
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Primarily affects physical security/video management systems in critical infrastructure sectors.

📦 What is this software?

Nuuo Cms by Nuuo

View all CVEs affecting Nuuo Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the CMS server, accessing video feeds, and potentially pivoting to other systems.

🟠

Likely Case

Unauthorized access to video surveillance systems, data exfiltration, and disruption of security monitoring operations.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing lateral movement.

🌐 Internet-Facing: HIGH - CMS systems are often exposed to internet for remote monitoring access.
🏢 Internal Only: MEDIUM - Still vulnerable to internal threats but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Session ID exposure leads to authentication bypass, making RCE straightforward once session is hijacked.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.3 or later

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02

Restart Required: Yes

Instructions:

1. Download NUUO CMS version 3.3 or later from vendor portal. 2. Backup current configuration. 3. Install updated version. 4. Restart CMS service. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate NUUO CMS from internet and restrict access to trusted networks only

Firewall Rules

windows

Implement strict firewall rules to limit access to CMS ports (default 5250)

netsh advfirewall firewall add rule name="Block NUUO CMS" dir=in action=block protocol=TCP localport=5250

🧯 If You Can't Patch

  • Implement strict network segmentation and access controls
  • Monitor for unusual authentication patterns and session activity

🔍 How to Verify

Check if Vulnerable:

Check CMS version in web interface or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\NUUO\CMS\Version

Check Version:

reg query "HKLM\SOFTWARE\NUUO\CMS" /v Version

Verify Fix Applied:

Confirm version is 3.3 or higher and test session management functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful login from different IP
  • Unusual session creation patterns
  • Access to administrative functions from unexpected sources

Network Indicators:

  • Traffic to CMS port 5250 from untrusted networks
  • Unusual outbound connections from CMS server

SIEM Query:

source="nuuo_cms.log" AND (event="session_hijack" OR event="admin_access" from_ip NOT IN trusted_ips)

📊 Metadata

CVE ID: CVE-2018-17888
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-330
Published: October 12, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-17888, you might also want to check these:

CVE-2023-2884 9.8

This vulnerability in CBOT Chatbot uses a weak pseudo-random number generator (PRNG) that allows att...

Same vulnerability type (CWE-330)
CVE-2021-36166 9.8

This vulnerability allows remote attackers to efficiently guess administrative authentication tokens...

Same vulnerability type (CWE-330)
CVE-2024-36389 9.8

MileSight DeviceHub uses insufficiently random values for authentication, potentially allowing attac...

Same vulnerability type (CWE-330)