CVE-2022-23227
CRITICAL KEVNUUO NVRmini2 < 3.11.0 - Unauthenticated Arbitrary User Creation via handle_import_user.php
Title source: llmExploitation Summary
CVE-2022-23227 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 18, 2024.
Description
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/16044
Exploit, Third Party Advisory x_refsource_misc
https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device
Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=29936569
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23227
Scores
CVSS v3
9.8
EPSS
0.5388
EPSS Percentile
98.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2024-12-18
VulnCheck KEV
2024-12-18
InTheWild.io
2024-12-18
ENISA EUVD
EUVD-2022-28314
CWE
CWE-306
Status
published
Products (1)
nuuo/nvrmini2_firmware
< 3.11.0
Published
Jan 14, 2022
KEV Added
Dec 18, 2024
Tracked Since
Feb 18, 2026