CVE-2023-30466

Q: What is the severity of CVE-2023-30466?

CVE-2023-30466 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to take over administrator accounts on Milesight NVR devices through a weak password reset mechanism in the web interface. Attackers can exploit this by sending specially crafted HTTP requests to vulnerable devices. All Milesight 4K/H.265 Series NVR models with affected firmware versions are impacted.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows remote attackers to take over administrator accounts on Milesight NVR devices through a weak password reset mechanism in the web interface. Attackers can exploit this by sending specially crafted HTTP requests to vulnerable devices. All Milesight 4K/H.265 Series NVR models with affected firmware versions are impacted.

💻 Affected Systems

Products:

Milesight 4K/H.265 Series NVR models: MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH, MS-Nxxxx-xxC

Versions: Specific firmware versions not specified in CVE description, but all versions with vulnerable password reset mechanism

Operating Systems: Embedded NVR firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with web management interface enabled are vulnerable. The vulnerability is in the password reset functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the NVR system, allowing attackers to view/delete surveillance footage, reconfigure cameras, disable security systems, and potentially pivot to other network systems.

🟠

Likely Case

Account takeover leading to unauthorized access to surveillance systems, footage manipulation, and disruption of security monitoring.

🟢

If Mitigated

Limited impact if devices are behind firewalls with restricted web interface access and strong network segmentation.

🌐 Internet-Facing: HIGH - Devices exposed to the internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this if they reach the NVR web interface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to the web interface. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Milesight security advisory for specific patched firmware versions

Vendor Advisory: https://www.milesight.com/security/

Restart Required: Yes

Instructions:

1. Check current firmware version on NVR. 2. Download latest firmware from Milesight support portal. 3. Upload firmware via web interface. 4. Reboot device after installation.

🔧 Temporary Workarounds

Network Isolation

all

Restrict access to NVR web interface using firewall rules

Disable Web Interface

all

Disable web-based management if not required

🧯 If You Can't Patch

Place NVR devices behind firewalls with strict inbound rules blocking all external access to web interface
Implement network segmentation to isolate NVR systems from general network traffic

🔍 How to Verify

Check if Vulnerable:

Check if device is one of the affected models and has web interface accessible. Test password reset functionality for weaknesses.

Check Version:

Login to NVR web interface and check System Information > Firmware Version

Verify Fix Applied:

Verify firmware version is updated to latest release from Milesight. Test password reset functionality to confirm it requires proper authentication.

📡 Detection & Monitoring

Log Indicators:

Multiple failed password reset attempts
Successful password reset from unusual IP addresses
Administrator account changes from unexpected sources

Network Indicators:

HTTP POST requests to password reset endpoints from external IPs
Unusual traffic patterns to NVR web interface

SIEM Query:

source_ip=external AND dest_port=80|443 AND uri_path CONTAINS 'password' OR 'reset' AND dest_ip=NVR_IP

📊 Metadata

CVE ID: CVE-2023-30466

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-640

Published: April 28, 2023

Last Updated: November 21, 2024

🔗 References

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2023-0121 Third Party Advisory
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2023-0121 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ms N1004 Uc Firmware by Milesight

Ms N1004 Upc Firmware by Milesight

Ms N1008 Uc Firmware by Milesight

Ms N1008 Unc Firmware by Milesight

Ms N1008 Unpc Firmware by Milesight

Ms N1008 Upc Firmware by Milesight

Ms N5008 E Firmware by Milesight

Ms N5008 Pe Firmware by Milesight

Ms N5008 Uc Firmware by Milesight

Ms N5008 Upc Firmware by Milesight

Ms N5016 E Firmware by Milesight

Ms N5016 Pe Firmware by Milesight

Ms N7016 Uh Firmware by Milesight

Ms N7016 Uph Firmware by Milesight

Ms N7032 Uh Firmware by Milesight

Ms N7032 Uph Firmware by Milesight

Ms N7048 Uph Firmware by Milesight

Ms N8032 Uh Firmware by Milesight

Ms N8064 Uh Firmware by Milesight

Ms Nxxxx Xxg Firmware by Milesight

Ms Nxxxx Xxt Firmware by Milesight