OS command injection in NUUO NVRmini 2 - CVE-2018-14933
Published: December 4, 2018 / Updated: December 18, 2024
Vulnerability identifier: #VU16228
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber
CVE-ID: CVE-2018-14933
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: NUUO Inc.
Affected software:
NUUO NVRmini 2
NUUO NVRmini 2
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands on the target system.
The vulnerability exists in upgrade_handle.php due to insufficient validation of user-supplied input. A remote authenticated attacker can send specially crafted requests to execute OS commands with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2018-14933
NUUO originally tried to fix the vulnerability by enforcing authentication on upgrade_handle.php but this fix has been insufficient to address the vulnerability.