The US CISA has added the following vulnerabilities to its Known Exploited Vulnerabilities Catalog based on the evidence of active exploitation
CVE-2018-14933
CVE-2018-14933 with a CVSS score of 9.8 and CWE-78 is a critical vulnerability identified in NUUO NVRmini devices. This vulnerability is located in the `upgrade_handle.php` file and allows for remote command execution via shell metacharacters in the `uploaddir` parameter associated with the `writeuploaddir` command. This vulnerability provides an entry point for attackers to execute arbitrary commands on the affected device by manipulating the `uploaddir` parameter, thus compromising the device.
CVE-2022-23227
CVE-2022-23227 with a CVSS score of 9.8 and CWE-306 is a critical vulnerability affecting NUUO NVRmini2 devices, particularly versions up to 3.11. This vulnerability allows an unauthenticated attacker to upload an encrypted TAR archive, which can be exploited to add arbitrary users. This is due to the lack of authentication in the handle_import_user.php file. When this vulnerability is combined with another flaw, CVE-2011-5325, it becomes possible to overwrite arbitrary files under the web root, leading to code execution as root.
CVE-2019-11001
CVE-2019-11001 with a CVSS score of 7.2 and CWE-78 is a significant vulnerability affecting various Reolink devices, including the RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W models with firmware versions up to 1.0.227. This vulnerability allows an authenticated admin user to exploit the “TestEmail” functionality to inject and execute operating system commands with root privileges. The attack is facilitated by injecting shell metacharacters into the addr1 field, enabling the attacker to perform arbitrary command execution.
CVE-2021-40407
CVE-2021-40407 with a CVSS score of 9.8 and CWE-78 is a critical vulnerability identified in Reolink RLC-410W devices with firmware version 3.0.0.136_20121102. This vulnerability is an OS command injection flaw within the network settings functionality of the device. Specifically, the ddns-domain variable, which is part of the SetDdns API, is not properly validated. This flaw allows an attacker to send a crafted HTTP request to exploit the vulnerability and execute arbitrary commands on the affected device.
CISA has set January 08, 2025, as a deadline for federal agencies to remediate the vulnerabilities
