CVE-2022-45045

EUVD-2022-47970
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
xiongmaitechmbd6304t
-
xiongmaitechnbd6808t-pl
-
xiongmaitechnbd7004t-p
*
xiongmaitechnbd7008t-p
*
xiongmaitechnbd7016t-f-v2
*
xiongmaitechnbd7024h-p
*
xiongmaitechnbd7024t-p
*
xiongmaitechnbd7804r-f\(ep\)
*
xiongmaitechnbd7804r-f\(hdmi\)
*
xiongmaitechnbd7804r-fw
*
xiongmaitechnbd7804t-pl
*
xiongmaitechnbd7808r-pl\(ep\)
*
xiongmaitechnbd7808r-pl\(hdmi\)
*
xiongmaitechnbd7808t-pl
*
xiongmaitechnbd7904r-fs
*
xiongmaitechnbd7904t-p
*
xiongmaitechnbd7904t-pl
*
xiongmaitechnbd7904t-pl-xpoe
-
xiongmaitechnbd7904t-plc-xpoe
-
xiongmaitechnbd7904t-q
*
xiongmaitechnbd7908t-q
*
xiongmaitechnbd8004r-pl\(ep\)
*
xiongmaitechnbd8004r-yl\(ep\)
-
xiongmaitechnbd8004t-q
*
xiongmaitechnbd8008r-pl
*
xiongmaitechnbd8008r-pl\(ep\)
*
xiongmaitechnbd8008r-yl\(ep\)
-
xiongmaitechnbd8008ra-gl
-
xiongmaitechnbd8008ra-glk
-
xiongmaitechnbd8008ra-ul\(ep\)
-
xiongmaitechnbd8008ra-ula
-
xiongmaitechnbd8008ra-ulk
-
xiongmaitechnbd8008t-q
*
xiongmaitechnbd8009s-ula-v2
-
xiongmaitechnbd8010s-kl-v2
-
xiongmaitechnbd8016r-ul
*
xiongmaitechnbd8016ra-k\(ep\)
-
xiongmaitechnbd8016ra-ul
-
xiongmaitechnbd8016ra-ul\(ep\)
-
xiongmaitechnbd8016ra-ula
-
xiongmaitechnbd8016ra-ulk
-
xiongmaitechnbd8016s-kl-v2
-
xiongmaitechnbd8016s-ula-v2
-
xiongmaitechnbd8016t-q-v2
*
xiongmaitechnbd8025r-ul
*
xiongmaitechnbd8032h4-p
*
xiongmaitechnbd8032h4-q
*
xiongmaitechnbd8032h4-qe
*
xiongmaitechnbd8032h4-ul
-
xiongmaitechnbd8032h8-p
*
xiongmaitechnbd8032h8-qe
*
xiongmaitechnbd8032ra-ul-v2
-
xiongmaitechnbd8064h8-p
*
xiongmaitechnbd80n16ra-kl
-
xiongmaitechnbd80n16ra-kl\(ep\)
-
xiongmaitechnbd80s08s-kl\(ep\)
-
xiongmaitechnbd80s10s-kl
-
xiongmaitechnbd80s16s-kl
-
xiongmaitechnbd80s16s-kl\(ep\)
-
xiongmaitechnbd80x09ra-kl
-
xiongmaitechnbd80x09s-kl
-
xiongmaitechnbd88x09s-kl
-
xiongmaitechnbd8904r-pl
*
xiongmaitechnbd8904r-yl
-
xiongmaitechnbd8904t-gsc-xpoe
-
xiongmaitechnbd8904t-q
*
xiongmaitechnbd8908r-pl
*
xiongmaitechnbd8908r-yl
*
xiongmaitechnbd8908t-pl-xpoe
-
xiongmaitechnbd8908t-plc-xpoe
-
xiongmaitechnbd8916f4-q
*
xiongmaitechnbd8916f8-q
*
xiongmaitechmbd6304t_firmware
4.02.r11.00000117.10001.131900.00000:r11.00000117
xiongmaitechnbd6808t-pl_firmware
4.02.r11.c7431119.12001.130000.00000:r11.c7431119
xiongmaitechnbd7004t-p_firmware
-
xiongmaitechnbd7008t-p_firmware
-
xiongmaitechnbd7016t-f-v2_firmware
-
xiongmaitechnbd7024h-p_firmware
-
xiongmaitechnbd7024t-p_firmware
-
xiongmaitechnbd7804r-f\(ep\)_firmware
-
xiongmaitechnbd7804r-f\(hdmi\)_firmware
-
xiongmaitechnbd7804r-fw_firmware
-
xiongmaitechnbd7804t-pl_firmware
-
xiongmaitechnbd7808r-pl\(ep\)_firmware
-
xiongmaitechnbd7808r-pl\(hdmi\)_firmware
-
xiongmaitechnbd7808t-pl_firmware
-
xiongmaitechnbd7904r-fs_firmware
-
xiongmaitechnbd7904t-p_firmware
-
xiongmaitechnbd7904t-pl_firmware
-
xiongmaitechnbd7904t-pl-xpoe_firmware
-
xiongmaitechnbd7904t-plc-xpoe_firmware
-
xiongmaitechnbd7904t-q_firmware
-
xiongmaitechnbd7908t-q_firmware
-
xiongmaitechnbd8004r-pl\(ep\)_firmware
-
xiongmaitechnbd8004r-yl\(ep\)_firmware
-
xiongmaitechnbd8004t-q_firmware
-
xiongmaitechnbd8008r-pl_firmware
-
xiongmaitechnbd8008r-pl\(ep\)_firmware
-
xiongmaitechnbd8008r-yl\(ep\)_firmware
-
xiongmaitechnbd8008ra-gl_firmware
-
xiongmaitechnbd8008ra-glk_firmware
-
xiongmaitechnbd8008ra-ul\(ep\)_firmware
-
xiongmaitechnbd8008ra-ula_firmware
-
xiongmaitechnbd8008ra-ulk_firmware
-
xiongmaitechnbd8008t-q_firmware
-
xiongmaitechnbd8009s-ula-v2_firmware
-
xiongmaitechnbd8010s-kl-v2_firmware
-
xiongmaitechnbd8016r-ul_firmware
-
xiongmaitechnbd8016ra-k\(ep\)_firmware
-
xiongmaitechnbd8016ra-ul_firmware
-
xiongmaitechnbd8016ra-ul\(ep\)_firmware
-
xiongmaitechnbd8016ra-ula_firmware
-
xiongmaitechnbd8016ra-ulk_firmware
-
xiongmaitechnbd8016s-kl-v2_firmware
-
xiongmaitechnbd8016s-ula-v2_firmware
-
xiongmaitechnbd8016t-q-v2_firmware
-
xiongmaitechnbd8025r-ul_firmware
-
xiongmaitechnbd8032h4-p_firmware
-
xiongmaitechnbd8032h4-q_firmware
-
xiongmaitechnbd8032h4-qe_firmware
-
xiongmaitechnbd8032h4-ul_firmware
-
xiongmaitechnbd8032h8-p_firmware
-
xiongmaitechnbd8032h8-qe_firmware
-
xiongmaitechnbd8032ra-ul-v2_firmware
-
xiongmaitechnbd8064h8-p_firmware
-
xiongmaitechnbd80n16ra-kl_firmware
-
xiongmaitechnbd80n16ra-kl\(ep\)_firmware
-
xiongmaitechnbd80s08s-kl\(ep\)_firmware
-
xiongmaitechnbd80s10s-kl_firmware
-
xiongmaitechnbd80s16s-kl_firmware
-
xiongmaitechnbd80s16s-kl\(ep\)_firmware
-
xiongmaitechnbd80x09ra-kl_firmware
-
xiongmaitechnbd80x09s-kl_firmware
-
xiongmaitechnbd88x09s-kl_firmware
-
xiongmaitechnbd8904r-pl_firmware
-
xiongmaitechnbd8904r-yl_firmware
-
xiongmaitechnbd8904t-gsc-xpoe_firmware
-
xiongmaitechnbd8904t-q_firmware
-
xiongmaitechnbd8908r-pl_firmware
-
xiongmaitechnbd8908r-yl_firmware
-
xiongmaitechnbd8908t-pl-xpoe_firmware
-
xiongmaitechnbd8908t-plc-xpoe_firmware
-
xiongmaitechnbd8916f4-q_firmware
-
xiongmaitechnbd8916f8-q_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://vulncheck.com/blog/xiongmai-iot-exploitation
https://vulncheck.com/blog/xiongmai-iot-exploitation