← Back to CVEs
CVE-2022-23227
CRITICALCISA KEV9.8
Description
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published1/14/2022
Last Modified11/7/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorNUUO
ProductNVRmini2 Devices
Vulnerability NameNUUO NVRmini2 Devices Missing Authentication Vulnerability
KEV Date Added2024-12-18
Remediation Due Date2025-01-08
Ransomware UseUnknown
Affected Products
nuuo:nvrmini2nuuo:nvrmini2_firmware
Weaknesses (CWE)
CWE-306CWE-306
References
https://github.com/rapid7/metasploit-framework/pull/16044(cve@mitre.org)
https://news.ycombinator.com/item?id=29936569(cve@mitre.org)
https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device(cve@mitre.org)
https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/rapid7/metasploit-framework/pull/16044(af854a3a-2127-422b-91ae-364da2661108)
https://news.ycombinator.com/item?id=29936569(af854a3a-2127-422b-91ae-364da2661108)
https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23227(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.