CVE-2018-14933

CRITICAL KEV NUCLEI

NUUO NVRmini - RCE

Title source: llm

Description

upgrade_handle.php on NUUO NVRmini devices allows Remote Command Execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/46340

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Berk Dusunur · textwebappshardware

https://www.exploit-db.com/exploits/45070

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Berk Dusunur, numan turle · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/nuuo_nvrmini_upgrade_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

NUUO NVRmini - Remote Command Execution

CRITICALby ritikchaddha

Shodan: title:"NUUO"

FOFA: title="NUUO"

References (3)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45070/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46340/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-14933

Scores

CVSS v3 9.8

EPSS 0.9387

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2024-12-18

VulnCheck KEV 2019-06-13

InTheWild.io 2018-12-02

ENISA EUVD EUVD-2018-6815

CWE

CWE-78

Status published

Products (1)

nuuo/nvrmini_firmware 2016

Published Aug 04, 2018

KEV Added Dec 18, 2024

Tracked Since Feb 18, 2026