Main Vulnerability Database Exploits ID:1545 - Exploit for OS command injection in NUUO NVRmini 2 - CVE-2018-14933

ID:1545 - Exploit for OS command injection in NUUO NVRmini 2 - CVE-2018-14933

Published: March 18, 2020

Vulnerability identifier: #VU16228

Vulnerability risk: High

CVE-ID: CVE-2018-14933

CWE-ID: CWE-78

Exploitation vector: Remote access

Vulnerable software:
NUUO NVRmini 2

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/multi/http/nuuo_nvrmini_upgrade_rce

Vulnerability description

The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands on the target system.

The vulnerability exists in upgrade_handle.php due to insufficient validation of user-supplied input. A remote authenticated attacker can send specially crafted requests to execute OS commands with root privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

NUUO originally tried to fix the vulnerability by enforcing authentication on upgrade_handle.php but this fix has been insufficient to address the vulnerability.

ID:1545 - Exploit for OS command injection in NUUO NVRmini 2 - CVE-2018-14933

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human