#VU16228 OS command injection in NUUO NVRmini 2 - CVE-2018-14933
Published: December 4, 2018 / Updated: December 18, 2024
Vulnerability identifier: #VU16228
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber
CVE-ID: CVE-2018-14933
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
NUUO NVRmini 2
NUUO NVRmini 2
Software vendor:
NUUO Inc.
NUUO Inc.
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary shell commands on the target system.
The vulnerability exists in upgrade_handle.php due to insufficient validation of user-supplied input. A remote authenticated attacker can send specially crafted requests to execute OS commands with root privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
NUUO originally tried to fix the vulnerability by enforcing authentication on upgrade_handle.php but this fix has been insufficient to address the vulnerability.