The Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting significant security risks for various devices used worldwide.
These vulnerabilities, which have been actively exploited in the wild, emphasize the need for organizations to prioritize their mitigation efforts to safeguard their infrastructure and data.
Details of the Vulnerabilities
CVE-2018-14933 – NUUO NVRmini Devices OS Command Injection
This vulnerability affects NUUO NVRmini devices, allowing remote attackers to execute commands using shell metacharacters in the uploaddir parameter during a writeuploaddir command.
Classified as an OS command injection flaw (CWE-78), it enables unauthorized remote access to critical operations. Since these devices are now End-of-Life (EoL) or End-of-Service (EoS), CISA recommends users discontinue their use to mitigate associated security risks.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
CVE-2022-23227 – NUUO NVRmini 2 Devices Missing Authentication
This flaw impacts NUUO NVRmini 2 devices and arises from a missing authentication mechanism (CWE-306). Exploitation allows attackers to upload encrypted TAR archives, which can be abused to add arbitrary users to the system.
Since the affected product is EoL or EoS, users are strongly advised to phase it out and explore alternative solutions.
CVE-2019-11001 – Reolink Multiple IP Cameras OS Command Injection
This vulnerability affects Reolink IP cameras, including models such as RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W. It allows authenticated administrators to exploit the “TestEmail” functionality and inject OS commands as root.
This OS command injection issue (CWE-78) poses a critical security threat. CISA recommends discontinuing usage of the product if no effective mitigations are available.
CVE-2021-40407 – Reolink RLC-410W OS Command Injection
This vulnerability specifically impacts the Reolink RLC-410W camera. An authenticated OS command injection flaw (CWE-78) exists in the device’s network settings functionality, providing attackers with the ability to execute commands.
If no mitigations are in place, users should immediately cease product usage.
The KEV catalog, maintained by CISA, serves as a vital resource for organizations to address vulnerabilities that attackers are actively exploiting.
Updated in multiple formats (CSV, JSON, JSON Schema), this catalog helps network defenders prioritize vulnerability management in alignment with real-world threat activity.
Organizations are encouraged to assess their systems for exposure to these vulnerabilities and implement necessary measures before CISA’s recommended deadline of January 8, 2025.
By leveraging the KEV catalog, security teams can enhance their defenses and reduce the risk of exploitation.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free