CVE-2022-23227
Published: 14 January 2022
Summary
CVE-2022-23227 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Nuuo Nvrmini2 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Deeper analysis
NUUO NVRmini2 versions through 3.11 contain a missing authentication flaw (CWE-306) in handle_import_user.php that permits an unauthenticated attacker to upload an encrypted TAR archive. The component accepts the archive without any access control checks, enabling the creation of arbitrary user accounts on the device.
An unauthenticated remote attacker can leverage the upload primitive together with CVE-2011-5325 to extract and overwrite arbitrary files beneath the web root. Successful exploitation yields code execution with root privileges and carries a CVSS 3.1 score of 9.8.
Public references include a detailed proof-of-concept, a Metasploit pull request adding an exploit module, and coverage on technical forums; the associated EPSS score has reached 0.5388, indicating substantial observed exploitation interest. No vendor patch or mitigation guidance is referenced in the available advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28314
Vulnerability details
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite…
more
arbitrary files under the web root and achieve code execution as root.
- CWE(s)
- KEV Date Added
- 18 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before permitting any access to functions such as handle_import_user.php.
Requires explicit authorization and authentication for all remote access sessions to the NVRmini2 web interface.
Mandates identification and authentication of services/endpoints before accepting uploads or processing sensitive operations.