CVE-2016-5676

HIGH

NETGEAR ReadyNAS Surveillance 1.1.1-1.4.1 & NUUO NVRmini2/NVRsolo 1.7.5-2.x - Unauthenticated Admin Password Reset

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-5676. PoCs published by Pedro Ribeiro, including Metasploit module auxiliary/admin/http/nuuo_nvrmini_reset.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in NUUO NVR devices and NETGEAR ReadyNAS Surveillance, including unauthenticated remote code execution via improper input validation in PHP files. Proofs of concept include command injection via GET parameters to achieve reverse shells as root or admin.

Description

cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 through 2.x, NUUO NVRsolo 1.7.5 through 2.x, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to reset the administrator password via a cmd=loaddefconfig action.

Exploits (2)

exploitdb WORKING POC

by Pedro Ribeiro · textremotehardware

https://www.exploit-db.com/exploits/40200

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in NUUO NVR devices and NETGEAR ReadyNAS Surveillance, including unauthenticated remote code execution via improper input validation in PHP files. Proofs of concept include command injection via GET parameters to achieve reverse shells as root or admin.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NUUO NVRmini2, NVRsolo, Crystal, NETGEAR ReadyNAS Surveillance

No auth needed

Prerequisites: Network access to the target device

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/nuuo_nvrmini_reset.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in NUUO NVRmini 2 and NETGEAR ReadyNAS Surveillance devices to reset the administrator password by loading default configurations. It supports both authenticated and unauthenticated attacks depending on the firmware version.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: NUUO NVRmini 2 / NETGEAR ReadyNAS Surveillance (firmware before v1.7.6)

No auth needed

Prerequisites: Network access to the target device · Exposed web management interface on port 8081

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/856152

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/92318

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40200/

Scores

CVSS v3 7.5

EPSS 0.7623

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-285

Status published

Products (24)

netgear/readynas_surveillance 1.1.1

netgear/readynas_surveillance 1.1.2

netgear/readynas_surveillance 1.2.0.4

netgear/readynas_surveillance 1.3.2.4

netgear/readynas_surveillance 1.3.2.14

netgear/readynas_surveillance 1.4.0

netgear/readynas_surveillance 1.4.1

netgear/readynas_surveillance 1.4.2

nuuo/nvrmini_2 1.7.5

nuuo/nvrmini_2 1.7.6

... and 14 more

Published Aug 31, 2016

Tracked Since Feb 18, 2026