NUUO NVRmini2 and NVRsolo

Act Now10ICS-CERT ICSA-18-284-01Oct 11, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

NUUO NVRmini2 and NVRsolo network video recorders (all versions up to 3.8.0) contain vulnerabilities that allow unauthenticated remote code execution and user account modification. An attacker can exploit these issues to run arbitrary commands on the device, modify recordings, create unauthorized accounts, or disrupt surveillance operations. NUUO has released firmware version 3.9.1 which resolves these issues.

What this means

What could happen

An attacker could remotely run commands on an NUUO NVRmini2 or NVRsolo recorder with no authentication, potentially modifying video footage, changing user accounts, or disrupting surveillance operations that support physical security and incident response.

Who's at risk

Surveillance and security system operators managing NUUO NVRmini2 or NVRsolo recorders. This affects any organization using these NVRs for facility security, physical access control, or incident documentation (utilities, manufacturing, water authorities, municipal operations).

How it could be exploited

An attacker on the network (or from the Internet if the device is exposed) sends a specially crafted request to the NVR device on its web interface or API port. The device fails to properly validate input or enforce access controls, allowing the attacker to execute arbitrary code and modify user accounts without any credentials.

Prerequisites

Network reachability to the NVR device (typically port 80/443 for web interface)
No authentication required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (16.7%)Critical CVSS (10/10)Affects physical security and incident investigation

Exploitability

High exploit probability (EPSS 16.7%)

Affected products (1)

ProductAffected VersionsFix Status

NVRmini2 NVRsolo: All≤ 3.8.03.9.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to NVR devices using firewall rules—block Internet access and allow connections only from trusted management networks

HARDENINGDisable remote access to NVR devices unless explicitly required; if remote access is needed, enforce VPN with strong authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate NUUO NVRmini2 and NVRsolo firmware to version 3.9.1 or later

Long-term hardening

0/1

HARDENINGIsolate NVR devices and surveillance infrastructure from your business network using network segmentation

CVEs (2)

CVE-2018-1149 CVE-2018-1150

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ce90a29-4063-4961-9bc2-dc7e91e2e929