CVE-2022-23227
📋 TL;DR
This critical vulnerability in NUUO NVRmini2 network video recorders allows unauthenticated attackers to upload encrypted TAR archives to add arbitrary users, then combine with another flaw to overwrite files and achieve remote code execution as root. It affects NUUO NVRmini2 devices through version 3.11. This enables complete system compromise of affected devices.
💻 Affected Systems
- NUUO NVRmini2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root privileges, allowing attackers to install persistent backdoors, exfiltrate video footage, pivot to internal networks, or use devices for botnet participation.
Likely Case
Remote code execution leading to device compromise, surveillance footage theft, and potential lateral movement to connected networks.
If Mitigated
Limited impact if devices are isolated in separate VLANs with strict network segmentation and no internet exposure.
🎯 Exploit Status
Metasploit module available. Exploitation requires chaining with CVE-2011-5325 for full RCE, but both vulnerabilities are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Check vendor website for updates. Consider replacing affected devices if no patch is forthcoming.
🔧 Temporary Workarounds
Network Isolation
allIsolate NVRmini2 devices in separate VLAN with strict firewall rules blocking all inbound traffic except from authorized management stations.
Web Interface Restriction
allBlock access to handle_import_user.php and related vulnerable endpoints via web application firewall or reverse proxy.
🧯 If You Can't Patch
- Immediately disconnect affected devices from internet and place behind strict firewall with no inbound access
- Implement network segmentation to isolate NVR devices from critical networks, allowing only outbound connections to required services
🔍 How to Verify
Check if Vulnerable:
Check device web interface for version number. If version is 3.11 or earlier, device is vulnerable. Attempt to access /handle_import_user.php without authentication.Check Version:
Check web interface login page or system information page for firmware versionVerify Fix Applied:
Verify version is above 3.11. Test that /handle_import_user.php requires authentication and rejects unauthorized TAR uploads.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /handle_import_user.php
- Unexpected user account creation
- File modification in web root directory
Network Indicators:
- Unusual outbound connections from NVR devices
- Traffic to known exploit servers
- Unexpected file uploads to device
SIEM Query:
source_ip="NVR_DEVICE_IP" AND (uri_path="/handle_import_user.php" OR event_description="user creation" OR file_modification="/var/www/*")🔗 References
- https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd
- https://github.com/rapid7/metasploit-framework/pull/16044
- https://news.ycombinator.com/item?id=29936569
- https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device
- https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd
- https://github.com/rapid7/metasploit-framework/pull/16044
- https://news.ycombinator.com/item?id=29936569
- https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23227
