← Volver a CVEs
CVE-2022-23227
CRITICALCISA KEV9.8
Descripcion
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado1/14/2022
Ultima modificacion11/7/2025
Fuentekev
Avistamientos honeypot0
CISA KEV
VendedorNUUO
ProductoNVRmini2 Devices
Nombre vulnerabilidadNUUO NVRmini2 Devices Missing Authentication Vulnerability
Fecha inclusion KEV2024-12-18
Fecha limite remediacion2025-01-08
Uso en ransomwareUnknown
Productos afectados
nuuo:nvrmini2nuuo:nvrmini2_firmware
Debilidades (CWE)
CWE-306CWE-306
Referencias
https://github.com/rapid7/metasploit-framework/pull/16044(cve@mitre.org)
https://news.ycombinator.com/item?id=29936569(cve@mitre.org)
https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device(cve@mitre.org)
https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rapid7/metasploit-framework/pull/16044(af854a3a-2127-422b-91ae-364da2661108)
https://news.ycombinator.com/item?id=29936569(af854a3a-2127-422b-91ae-364da2661108)
https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23227(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.