CVE-2016-5675

CRITICAL

NETGEAR ReadyNAS Surveillance 1.1.1-1.4.1 - Remote Code Execution via NTPServer Parameter

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-5675. PoCs published by Pedro Ribeiro, including Metasploit module exploits/linux/http/nuuo_nvrmini_auth_rce.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in NUUO NVR devices and NETGEAR ReadyNAS Surveillance, including unauthenticated remote code execution via improper input validation in PHP files. Proofs of concept include command injection via GET parameters to achieve reverse shells as root or admin.

Description

handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the NTPServer parameter.

Exploits (2)

exploitdb WORKING POC

by Pedro Ribeiro · textremotehardware

https://www.exploit-db.com/exploits/40200

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in NUUO NVR devices and NETGEAR ReadyNAS Surveillance, including unauthenticated remote code execution via improper input validation in PHP files. Proofs of concept include command injection via GET parameters to achieve reverse shells as root or admin.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NUUO NVRmini2, NVRsolo, Crystal, NETGEAR ReadyNAS Surveillance

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nuuo_nvrmini_auth_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated remote code execution vulnerability in NUUO NVRmini 2, Crystal, and NETGEAR ReadyNAS Surveillance by injecting commands into the NTPServer parameter of handle_daylightsaving.php. It supports multiple targets and payload types.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: NUUO NVRmini 2, Crystal, NETGEAR ReadyNAS Surveillance

Auth required

Prerequisites: Valid administrative credentials · Access to the web administration interface on port 8081

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/856152

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/92318

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40200/

Scores

CVSS v3 9.8

EPSS 0.7306

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (36)

netgear/readynas_surveillance 1.1.1

netgear/readynas_surveillance 1.1.2

netgear/readynas_surveillance 1.2.0.4

netgear/readynas_surveillance 1.3.2.4

netgear/readynas_surveillance 1.3.2.14

netgear/readynas_surveillance 1.4.0

netgear/readynas_surveillance 1.4.1

netgear/readynas_surveillance 1.4.2

nuuo/crystal 2.2.1

nuuo/crystal 3.0.0

... and 26 more

Published Aug 31, 2016

Tracked Since Feb 18, 2026