CVE-2018-14933

CRITICAL KEV NUCLEI

NUUO NVRmini Firmware - Remote Command Execution via uploaddir Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-14933 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 18, 2024. EIP tracks 3 public exploits from researchers including Metasploit, Berk Dusunur, Berk Dusunur, numan turle, including a Metasploit module exploits/multi/http/nuuo_nvrmini_upgrade_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in NUUO NVRmini's upgrade_handle.php via the 'writeuploaddir' command parameter. It allows remote command execution by injecting arbitrary commands into the 'uploaddir' parameter.

Description

upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/46340

This Metasploit module exploits a command injection vulnerability in NUUO NVRmini's upgrade_handle.php via the 'writeuploaddir' command parameter. It allows remote command execution by injecting arbitrary commands into the 'uploaddir' parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: NUUO NVRmini IP camera (web application)
No auth needed
Prerequisites: Network access to the target device · Upgrade_handle.php endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Berk Dusunur · textwebappshardware
https://www.exploit-db.com/exploits/45070

This exploit demonstrates an unauthenticated remote code execution vulnerability in NUUO NVR v2016 via command injection in the 'uploaddir' parameter of 'upgrade_handle.php'. The PoC shows arbitrary command execution (e.g., 'whoami' and 'id') by injecting shell commands into the parameter.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: NUUO NVR v2016
No auth needed
Prerequisites: Network access to the target system on port 50000
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Berk Dusunur, numan turle · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/nuuo_nvrmini_upgrade_rce.rb

This Metasploit module exploits a command injection vulnerability in NUUO NVRmini's upgrade_handle.php via the 'writeuploaddir' command parameter. It allows remote command execution by injecting arbitrary commands into the 'uploaddir' GET parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: NUUO NVRmini IP camera (web application)
No auth needed
Prerequisites: Network access to the target device · Upgrade_handle.php endpoint accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

NUUO NVRmini - Remote Command Execution
CRITICALby ritikchaddha
Shodan: title:"NUUO"
FOFA: title="NUUO"

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45070/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46340/

Scores

CVSS v3 9.8
EPSS 0.9387
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2024-12-18
VulnCheck KEV 2019-06-13
InTheWild.io 2018-12-02
ENISA EUVD EUVD-2018-6815
CWE
CWE-78
Status published
Products (1)
nuuo/nvrmini_firmware 2016
Published Aug 04, 2018
KEV Added Dec 18, 2024
Tracked Since Feb 18, 2026