Cyber Resilience

CVE-2022-23227

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 January 2022

Published
14 January 2022
Modified
07 November 2025
KEV Added
18 December 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5388 98.1th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-23227 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Nuuo Nvrmini2 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Deeper analysis

NUUO NVRmini2 versions through 3.11 contain a missing authentication flaw (CWE-306) in handle_import_user.php that permits an unauthenticated attacker to upload an encrypted TAR archive. The component accepts the archive without any access control checks, enabling the creation of arbitrary user accounts on the device.

An unauthenticated remote attacker can leverage the upload primitive together with CVE-2011-5325 to extract and overwrite arbitrary files beneath the web root. Successful exploitation yields code execution with root privileges and carries a CVSS 3.1 score of 9.8.

Public references include a detailed proof-of-concept, a Metasploit pull request adding an exploit module, and coverage on technical forums; the associated EPSS score has reached 0.5388, indicating substantial observed exploitation interest. No vendor patch or mitigation guidance is referenced in the available advisories.

EU & UK References

Vulnerability details

NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite…

more

arbitrary files under the web root and achieve code execution as root.

CWE(s)
KEV Date Added
18 December 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nuuo
nvrmini2 firmware
≤ 3.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before permitting any access to functions such as handle_import_user.php.

prevent

Requires explicit authorization and authentication for all remote access sessions to the NVRmini2 web interface.

prevent

Mandates identification and authentication of services/endpoints before accepting uploads or processing sensitive operations.

References