NUUO CMS (Update A)

Act Now9.8ICS-CERT ICSA-18-284-02Oct 11, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

NUUO CMS versions 3.3 and earlier contain multiple vulnerabilities including weak randomness (CWE-330), weak credentials (CWE-798), path traversal (CWE-22), insecure file upload (CWE-434), and SQL injection (CWE-89) that could allow remote code execution without authentication. Successful exploitation could result in arbitrary remote code execution on the CMS server. No known public exploits currently target these vulnerabilities.

What this means

What could happen

An attacker could execute arbitrary code on the CMS server, gaining complete control and potentially modifying surveillance system configurations, disabling cameras, or accessing stored video footage and access credentials.

Who's at risk

Facility managers and security teams operating NUUO CMS (Camera Management System) versions 3.1 and 3.3 or earlier should prioritize this. Affected organizations include those using centralized IP camera management for building security, manufacturing surveillance, or critical infrastructure monitoring.

How it could be exploited

An attacker on the network reaches the CMS server on its management port without authentication and sends a crafted request that exploits multiple weaknesses (weak randomness, path traversal, insecure file permissions, weak credentials, file upload, or SQL injection) to upload and execute malicious code. No user interaction is required.

Prerequisites

["Network access to NUUO CMS management interface (typically port 8080)", "No valid credentials required", "Direct network path to CMS device (Internet-exposed or internal)]

remotely exploitableno authentication requiredlow complexityhigh EPSS score (67.8%)affects surveillance and security systems

Exploitability

High exploit probability (EPSS 67.8%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

CMS:≤ 3.33.3.0.18

CMS:≤ 3.13.3.0.18

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to CMS management interface using firewall rules; block access from Internet and limit to authorized engineering networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate NUUO CMS to firmware v3.3.0 or later as provided by vendor

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate CMS server and all cameras behind a firewall, separate from business network and Internet access

HARDENINGIf remote access is required, deploy VPN with strong encryption and authentication rather than exposing CMS to the Internet

CVEs (7)

CVE-2018-17888 CVE-2018-17890 CVE-2018-17892 CVE-2018-17894 CVE-2018-17934 CVE-2018-17936 CVE-2018-18982

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2895238c-bc57-4f56-83c9-4af3645d76e3