CVE-2022-23227

What is NUUO NVRmini2?

NUUO is a Taiwan-based vendor of network video recorder (NVR) systems used for IP camera surveillance. The NVRmini2 is a compact, Linux-based NVR appliance designed for small deployments — commonly found in small businesses, retail locations, and home security installations. Like many IoT/embedded devices of its era, the NVRmini2 is often internet-facing to allow remote video monitoring and is managed via a web interface. NUUO has declared this product end-of-life with no further security patches available.

Overview

CVE-2022-23227 is a missing authentication vulnerability (CWE-306) in NUUO NVRmini2 network video recorders. An unauthenticated remote attacker can upload a specially crafted encrypted TAR archive to the device without any credentials, which the device processes and uses to add arbitrary administrative users. This gives the attacker full control over the device and its video feeds. CVSS 9.8. The product is end-of-life — NUUO will not issue a patch. CISA added this to the KEV catalog in December 2024, nearly three years after disclosure, confirming ongoing exploitation against unpatched/unsupported devices.

Affected Versions

Required action per CISA: Discontinue use of the product.

Technical Details

The NVRmini2 exposes a web-accessible endpoint that accepts encrypted TAR archive uploads without requiring authentication. The upload functionality was likely intended for firmware updates or configuration imports, but lacks any authentication check before processing the uploaded file.

The attack flow:

1. Attacker sends an HTTP request to the unauthenticated file upload endpoint on the NVR's web interface
2. The device accepts and processes the encrypted TAR archive
3. The archive contains a payload that manipulates the device's user database to add a new administrator account with attacker-controlled credentials
4. The attacker logs in with the new account, gaining full control of the NVR, camera feeds, and device settings

Because the device is EoL, this vulnerability will never be patched. Any NVRmini2 still running is permanently vulnerable.

Discovery

The vulnerability was disclosed in January 2022. NUUO issued an EoL notification in 2023 rather than releasing a security patch, confirming no remediation would be provided.

Exploitation Context

IP cameras and NVR systems are attractive targets for several reasons:

• Often internet-facing with no intermediate security controls
• Rarely patched after initial deployment (especially when EoL)
• Can be recruited into botnets (Mirai and derivatives specifically target IP cameras and NVRs)
• Can provide persistent network access and physical surveillance intel
• May be connected to internal networks with access to other systems

The 2.9-year gap between CVE publication (January 2022) and KEV addition (December 2024) indicates continued active exploitation of this vulnerability — likely by botnet operators targeting unpatched IoT devices at scale.

Remediation

1. Disconnect and replace: CISA's required action is to disconnect NVRmini2 devices from the network. Replace with a supported NVR solution that receives security updates.
2. If immediate replacement is not possible: Place the device behind a firewall with no direct internet access. Restrict access to the web management interface to known management IPs only.
3. Check for compromise: Review device logs and connected camera streams for evidence of unauthorized access. Check for unfamiliar user accounts in the admin panel.
4. Segment from internal network: Ensure the NVR is on an isolated VLAN with no access to critical internal systems.
5. Evaluate replacement options: Modern NVR vendors (Synology Surveillance Station, Milestone, Genetec) provide supported products with regular security updates.