CVE-2022-45045 is a high-severity vulnerability affecting multiple Xiongmai Network Video Recorder (NVR) devices, including models MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000. The vulnerability allows an authenticated attacker to execute arbitrary operating system commands with root privileges remotely. Exploitation occurs via a crafted JSON file sent during an upgrade request to the device's service listening on TCP port 34567. The attacker must authenticate, potentially using default credentials (admin:tlJwpbo6), which are known to be present on some devices. This vulnerability stems from improper input validation and command execution mechanisms, categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Although patches have been applied by Xiongmai since at least 2021 to prevent the execution of telnetd via this vector, the underlying command injection flaw remains exploitable for arbitrary commands. The vulnerability has been exploited in the wild since approximately 2019, indicating active targeting of these devices. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity, requiring privileges but no user interaction. The affected devices are typically used in surveillance and security infrastructure, making them critical assets in physical security environments.

For European organizations, the exploitation of CVE-2022-45045 poses significant risks. Compromised NVR devices can lead to unauthorized access to surveillance footage, undermining privacy and security compliance obligations such as GDPR. Attackers gaining root access can manipulate or delete video evidence, disrupt surveillance operations, or use the devices as pivot points for lateral movement within networks. This can result in operational downtime, loss of trust, and potential regulatory penalties. Given the devices' role in physical security, exploitation could also facilitate physical breaches or espionage. The high severity and remote exploitability mean that attackers can compromise these devices without physical access, increasing the threat surface. The presence of default credentials exacerbates the risk, especially in environments where device hardening is insufficient. Furthermore, the ability to execute arbitrary commands as root could allow attackers to install persistent backdoors, launch further attacks, or exfiltrate sensitive data, impacting confidentiality, integrity, and availability.

1. Immediate audit and inventory of all Xiongmai NVR devices within the organization to identify affected models and firmware versions. 2. Change all default credentials on these devices to strong, unique passwords to prevent unauthorized authentication. 3. Restrict network access to port 34567 by implementing firewall rules or network segmentation, allowing only trusted management hosts to communicate with NVR devices. 4. Where possible, upgrade device firmware to the latest version provided by Xiongmai that includes patches mitigating command injection vectors, even if partial, to reduce attack surface. 5. Implement network monitoring and intrusion detection systems to alert on unusual activity targeting NVR devices, especially on port 34567 or anomalous upgrade requests. 6. Disable remote upgrade features if not required or restrict them to secure management networks. 7. Regularly review and update device configurations to adhere to security best practices, including disabling unused services and enforcing least privilege principles. 8. Consider deploying compensating controls such as application-layer gateways or proxy services that validate upgrade requests before forwarding them to devices. 9. Conduct security awareness training for administrators managing these devices to recognize and respond to potential exploitation attempts. 10. Develop incident response plans specifically addressing potential compromises of surveillance infrastructure.