Uniview NVR301-04S2-P4 (Update A)

Act NowCVSS 6.1ICS-CERT ICSA-24-156-01Jun 4, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A stored or reflected cross-site scripting (XSS) vulnerability in the Uniview NVR301-04S2-P4 web interface allows an attacker to send a malicious URL that executes arbitrary JavaScript in the browser of a logged-in user. If the user clicks the link, the JavaScript runs with the user's session privileges, potentially allowing the attacker to modify NVR settings, access video feeds, or perform other unauthorized actions without providing credentials. The vulnerability affects all versions prior to NVR-B3801.20.17.240507.

What this means

What could happen

An attacker could trick a user into clicking a malicious link that runs JavaScript code in their browser session to the NVR, potentially allowing unauthorized access to video feeds or NVR settings. This affects facilities that rely on the NVR for physical security monitoring and access control decisions.

Who's at risk

This vulnerability affects facilities using Uniview NVR301-04S2-P4 network video recorders for physical security surveillance. Anyone responsible for water treatment plants, power substations, pump stations, or other critical infrastructure using this NVR model for CCTV should be aware, as compromised video feeds or NVR settings could impact physical security incident response and investigation capability.

How it could be exploited

An attacker crafts a URL containing malicious JavaScript and sends it to an NVR user (via email, chat, or social engineering). When the user clicks the link while logged into the NVR web interface, the JavaScript executes in their browser with their session credentials, allowing the attacker to perform actions on the NVR without needing separate authentication.

Prerequisites

User must be logged into the NVR web interface
User must click on a malicious link provided by the attacker
NVR web interface must be reachable from the user's network or the internet

remotely exploitablelow complexityhigh EPSS score (11.9%)requires user interactionaffects security monitoring systems

Exploitability

Likely to be exploited — EPSS score 11.9%

Affected products (1)

ProductAffected VersionsFix Status

NVR301-04S2-P4: <NVR-B3801.20.17.240507<NVR-B3801.20.17.240507NVR-B3801.20.17.240507

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEducate users not to click on unknown or suspicious links, especially those claiming to be NVR-related

HARDENINGRestrict NVR web interface access to authenticated internal users only; disable direct internet exposure if possible

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGUse a web application firewall or proxy to filter malicious JavaScript payloads if available

HOTFIXUpdate NVR firmware to version NVR-B3801.20.17.240507 or later when available and tested in your environment

CVEs (1)

CVE-2024-3850

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ff499041-848f-427e-a06f-4d95cd143de6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.