CVE DATABASE / CVE-2022-23227
CVE-2022-23227
NUUO NVRmini2 Devices Missing Authentication Vulnerability
Confirmed exploited in the wild. Added 2024-12-18.
Federal remediation due 2025-01-08.
Required action: The impacted product is end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue utilization of the product.
Summary
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite arbitrary files under the web root and achieve code execution as root.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://github.com/pedrib/PoC/blob/master/advisories/NUUO/nuuo_nvrmini_round2.mkd
- https://github.com/rapid7/metasploit-framework/pull/16044
- https://news.ycombinator.com/item?id=29936569
- https://portswigger.net/daily-swig/researcher-discloses-alleged-zero-day-vulnerabilities-in-nuuo-nvrmini2-recording-device
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-23227
Data: NIST NVD + CISA KEV. NVD last modified 2025-11-07. Always verify against the vendor advisory before acting.