vulnerability

NUUO NVRmini2: CVE-2022-23227: Missing Authentication for Critical Function

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jan 14, 2022	Sep 2, 2025	Sep 2, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jan 14, 2022

Added

Sep 2, 2025

Modified

Sep 2, 2025

Description

NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.

Solution

nuuo-nvrmini-upgrade-latest

References

CVE-2022-23227
https://attackerkb.com/topics/CVE-2022-23227
URL-https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd
URL-https://github.com/rapid7/metasploit-framework/pull/16044
URL-https://news.ycombinator.com/item?id=29936569
URL-https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device
CWE-306

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today