CVE-2018-17894 – NUUO CMS versions 3.1 and earlier contain defau... (How to Fix)

Q: What is the severity of CVE-2018-17894?

CVE-2018-17894 has a CVSS score of 9.8 (CRITICAL). NUUO CMS versions 3.1 and earlier contain default accounts with hard-coded passwords that cannot be changed. This allows attackers to gain privileged access to the video management system. Organizations using NUUO CMS for security surveillance are affected.

📋 TL;DR

NUUO CMS versions 3.1 and earlier contain default accounts with hard-coded passwords that cannot be changed. This allows attackers to gain privileged access to the video management system. Organizations using NUUO CMS for security surveillance are affected.

💻 Affected Systems

Products:

NUUO CMS (Central Management System)

Versions: All versions 3.1 and prior

Operating Systems: Windows-based systems running NUUO CMS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in default installation configurations. All deployments using affected versions are vulnerable unless specifically hardened.

📦 What is this software?

Nuuo Cms by Nuuo

View all CVEs affecting Nuuo Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to disable security cameras, manipulate video footage, access sensitive surveillance data, and pivot to other network systems.

🟠

Likely Case

Unauthorized access to live camera feeds, recorded footage, and system configuration leading to privacy violations and security system bypass.

🟢

If Mitigated

Limited impact if system is isolated in secure network segment with strict access controls and monitoring.

🌐 Internet-Facing: HIGH - Direct internet exposure makes exploitation trivial as attackers can use default credentials without authentication.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit these credentials if systems aren't properly segmented.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of default credentials which are publicly documented. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.3 or later

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02

Restart Required: Yes

Instructions:

1. Download NUUO CMS version 3.3 or later from vendor portal. 2. Backup current configuration. 3. Install updated version following vendor documentation. 4. Restart system. 5. Change all default passwords immediately after upgrade.

🔧 Temporary Workarounds

Change Default Credentials

all

Manually change all default account passwords in NUUO CMS administration interface

Network Segmentation

all

Isolate NUUO CMS systems in separate VLAN with strict firewall rules

🧯 If You Can't Patch

Immediately change all default passwords for every account in the system
Implement network access controls to restrict access to NUUO CMS systems only from authorized management stations

🔍 How to Verify

Check if Vulnerable:

Check NUUO CMS version in administration interface. If version is 3.1 or earlier, system is vulnerable.

Check Version:

Check version in NUUO CMS web interface under Help > About or System Information

Verify Fix Applied:

After patching, verify version is 3.3 or later and attempt to login with previously known default credentials - should fail.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login with default usernames
Login events from unexpected IP addresses
Configuration changes from default accounts

Network Indicators:

HTTP/HTTPS traffic to NUUO CMS web interface from unauthorized sources
Unusual patterns of data export or system configuration changes

SIEM Query:

source="nuuo_cms" AND (event_type="login_success" AND (username="admin" OR username="nuuo"))

📊 Metadata

CVE ID: CVE-2018-17894

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: October 12, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/105717 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 Patch,Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/105717 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-17894, you might also want to check these: