CVE-2022-45045: n/a in n/a
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.
AI Analysis
Technical Summary
CVE-2022-45045 is a high-severity vulnerability affecting multiple Xiongmai Network Video Recorder (NVR) devices, including models MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000. The vulnerability allows an authenticated attacker to execute arbitrary operating system commands with root privileges remotely. Exploitation occurs via a crafted JSON file sent during an upgrade request to the device's service listening on TCP port 34567. The attacker must authenticate, potentially using default credentials (admin:tlJwpbo6), which are known to be present on some devices. This vulnerability stems from improper input validation and command execution mechanisms, categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Although patches have been applied by Xiongmai since at least 2021 to prevent the execution of telnetd via this vector, the underlying command injection flaw remains exploitable for arbitrary commands. The vulnerability has been exploited in the wild since approximately 2019, indicating active targeting of these devices. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity, requiring privileges but no user interaction. The affected devices are typically used in surveillance and security infrastructure, making them critical assets in physical security environments.
Potential Impact
For European organizations, the exploitation of CVE-2022-45045 poses significant risks. Compromised NVR devices can lead to unauthorized access to surveillance footage, undermining privacy and security compliance obligations such as GDPR. Attackers gaining root access can manipulate or delete video evidence, disrupt surveillance operations, or use the devices as pivot points for lateral movement within networks. This can result in operational downtime, loss of trust, and potential regulatory penalties. Given the devices' role in physical security, exploitation could also facilitate physical breaches or espionage. The high severity and remote exploitability mean that attackers can compromise these devices without physical access, increasing the threat surface. The presence of default credentials exacerbates the risk, especially in environments where device hardening is insufficient. Furthermore, the ability to execute arbitrary commands as root could allow attackers to install persistent backdoors, launch further attacks, or exfiltrate sensitive data, impacting confidentiality, integrity, and availability.
Mitigation Recommendations
1. Immediate audit and inventory of all Xiongmai NVR devices within the organization to identify affected models and firmware versions. 2. Change all default credentials on these devices to strong, unique passwords to prevent unauthorized authentication. 3. Restrict network access to port 34567 by implementing firewall rules or network segmentation, allowing only trusted management hosts to communicate with NVR devices. 4. Where possible, upgrade device firmware to the latest version provided by Xiongmai that includes patches mitigating command injection vectors, even if partial, to reduce attack surface. 5. Implement network monitoring and intrusion detection systems to alert on unusual activity targeting NVR devices, especially on port 34567 or anomalous upgrade requests. 6. Disable remote upgrade features if not required or restrict them to secure management networks. 7. Regularly review and update device configurations to adhere to security best practices, including disabling unused services and enforcing least privilege principles. 8. Consider deploying compensating controls such as application-layer gateways or proxy services that validate upgrade requests before forwarding them to devices. 9. Conduct security awareness training for administrators managing these devices to recognize and respond to potential exploitation attempts. 10. Develop incident response plans specifically addressing potential compromises of surveillance infrastructure.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
CVE-2022-45045: n/a in n/a
Description
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.
AI-Powered Analysis
Technical Analysis
CVE-2022-45045 is a high-severity vulnerability affecting multiple Xiongmai Network Video Recorder (NVR) devices, including models MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000. The vulnerability allows an authenticated attacker to execute arbitrary operating system commands with root privileges remotely. Exploitation occurs via a crafted JSON file sent during an upgrade request to the device's service listening on TCP port 34567. The attacker must authenticate, potentially using default credentials (admin:tlJwpbo6), which are known to be present on some devices. This vulnerability stems from improper input validation and command execution mechanisms, categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Although patches have been applied by Xiongmai since at least 2021 to prevent the execution of telnetd via this vector, the underlying command injection flaw remains exploitable for arbitrary commands. The vulnerability has been exploited in the wild since approximately 2019, indicating active targeting of these devices. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity, requiring privileges but no user interaction. The affected devices are typically used in surveillance and security infrastructure, making them critical assets in physical security environments.
Potential Impact
For European organizations, the exploitation of CVE-2022-45045 poses significant risks. Compromised NVR devices can lead to unauthorized access to surveillance footage, undermining privacy and security compliance obligations such as GDPR. Attackers gaining root access can manipulate or delete video evidence, disrupt surveillance operations, or use the devices as pivot points for lateral movement within networks. This can result in operational downtime, loss of trust, and potential regulatory penalties. Given the devices' role in physical security, exploitation could also facilitate physical breaches or espionage. The high severity and remote exploitability mean that attackers can compromise these devices without physical access, increasing the threat surface. The presence of default credentials exacerbates the risk, especially in environments where device hardening is insufficient. Furthermore, the ability to execute arbitrary commands as root could allow attackers to install persistent backdoors, launch further attacks, or exfiltrate sensitive data, impacting confidentiality, integrity, and availability.
Mitigation Recommendations
1. Immediate audit and inventory of all Xiongmai NVR devices within the organization to identify affected models and firmware versions. 2. Change all default credentials on these devices to strong, unique passwords to prevent unauthorized authentication. 3. Restrict network access to port 34567 by implementing firewall rules or network segmentation, allowing only trusted management hosts to communicate with NVR devices. 4. Where possible, upgrade device firmware to the latest version provided by Xiongmai that includes patches mitigating command injection vectors, even if partial, to reduce attack surface. 5. Implement network monitoring and intrusion detection systems to alert on unusual activity targeting NVR devices, especially on port 34567 or anomalous upgrade requests. 6. Disable remote upgrade features if not required or restrict them to secure management networks. 7. Regularly review and update device configurations to adhere to security best practices, including disabling unused services and enforcing least privilege principles. 8. Consider deploying compensating controls such as application-layer gateways or proxy services that validate upgrade requests before forwarding them to devices. 9. Conduct security awareness training for administrators managing these devices to recognize and respond to potential exploitation attempts. 10. Develop incident response plans specifically addressing potential compromises of surveillance infrastructure.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-11-08T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d983fc4522896dcbf08e1
Added to database: 5/21/2025, 9:09:19 AM
Last enriched: 6/22/2025, 4:07:51 AM
Last updated: 8/16/2025, 8:13:00 PM
Views: 18
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.