CVE-2022-45045
Severity CVSS v4.0:
Pending analysis
Type:
CWE-78
OS Command Injections
Publication date:
01/12/2022
Last modified:
24/04/2025
Description
Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:h:xiongmaitech:mbd6304t:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd6808t-pl:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7004t-p:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7008t-p:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7016t-f-v2:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7024h-p:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7024t-p:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7804r-f\(ep\):*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7804r-f\(hdmi\):*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7804r-fw:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7804t-pl:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7808r-pl\(ep\):*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7808r-pl\(hdmi\):*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7808t-pl:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:xiongmaitech:nbd7904r-fs:*:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page