BID:106058

NUUO NVRmini Products CVE-2018-14933 Remote Command Injection Vulnerability

Info

NUUO NVRmini Products CVE-2018-14933 Remote Command Injection Vulnerability

Bugtraq ID:	106058
Class:	Input Validation Error
CVE:	CVE-2018-14933
Remote:	Yes
Local:	No
Published:	Sep 19 2018 12:00AM
Updated:	Sep 19 2018 12:00AM
Credit:	Tenable
Vulnerable:	NUUO NVRsolo Plus 0 NUUO NVRsolo 0 NUUO NVRmini 2 0

Not Vulnerable:	NUUO NVRsolo Plus 3.10 NUUO NVRsolo 3.10 NUUO NVRmini 2 3.10

Discussion

NUUO NVRmini Products CVE-2018-14933 Remote Command Injection Vulnerability

NUUO NVRmini Products are prone to an remote command-injection vulnerability.

An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks.

Exploit / POC

NUUO NVRmini Products CVE-2018-14933 Remote Command Injection Vulnerability

The researcher who discovered this issue has created a proof-of-concept to demonstrate the issue. The exploit is otherwise not publicly available.

Solution / Fix

NUUO NVRmini Products CVE-2018-14933 Remote Command Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

NUUO NVRmini Products CVE-2018-14933 Remote Command Injection Vulnerability

References:

NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution (exploit-db.com)
NUUO Homepage (NUUO Inc.)
tenable/poc (tenable)
[Major Update] Security Upgrade for NUUO NVRsolo, NVRsolo Plus and NVRmini 2 se (NUUO Inc)