Remote Code Execution Vulnerability Present in NUUO’s NVRMini2

Tenable Research detected a critical remote code execution vulnerability in the NVRMini2 portable network video recorder created by NUUO. Dubbed Peekaboo and tracked as CVE-2018-1149, the flaw can be exploited remotely by attackers to enable access to an affected device’s control management system (CMS), expose credentials for all connected CCTV cameras in clear text, and control live video feeds and alter security footage. A backdoor, tracked as CVE-2018-1150, was also detected but, unlike Peekaboo, this flaw requires local network access. NVRMini2 is used for online surveillance across a range of industries including government, education, and transportation and it is estimated that NUUO has over 100,000 installations worldwide. NUUO released version 3.9.1 on September 19 to address the Peekaboo vulnerability. The NJCCIC recommends users and administrators of affected devices review the Tenable Research Advisory, restrict network access to only authorized users, and update to v3.9.1 as soon as possible.