1. Home
  2. CVE Database
  3. CVE-2022-45045
HIGH · 8.8

CVE-2022-45045

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands a...

Vulnerability Description

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
XiongmaitechMbd6304T-
XiongmaitechNbd6808T-Pl-
XiongmaitechNbd7004T-PAll versions
XiongmaitechNbd7008T-PAll versions
XiongmaitechNbd7016T-F-V2All versions
XiongmaitechNbd7024H-PAll versions
XiongmaitechNbd7024T-PAll versions
XiongmaitechNbd7804R-F\(Ep\)All versions
XiongmaitechNbd7804R-F\(Hdmi\)All versions
XiongmaitechNbd7804R-FwAll versions
XiongmaitechNbd7804T-PlAll versions
XiongmaitechNbd7808R-Pl\(Ep\)All versions
XiongmaitechNbd7808R-Pl\(Hdmi\)All versions
XiongmaitechNbd7808T-PlAll versions
XiongmaitechNbd7904R-FsAll versions
XiongmaitechNbd7904T-PAll versions
XiongmaitechNbd7904T-PlAll versions
XiongmaitechNbd7904T-Pl-Xpoe-
XiongmaitechNbd7904T-Plc-Xpoe-
XiongmaitechNbd7904T-QAll versions

Related Weaknesses (CWE)

CWE-78

References

FAQ

What is CVE-2022-45045?

CVE-2022-45045 is a vulnerability with a CVSS score of 8.8 (HIGH). Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands a...

How severe is CVE-2022-45045?

CVE-2022-45045 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-45045?

Check the references section above for vendor advisories and patch information. Affected products include: Xiongmaitech Mbd6304T, Xiongmaitech Nbd6808T-Pl, Xiongmaitech Nbd7004T-P, Xiongmaitech Nbd7008T-P, Xiongmaitech Nbd7016T-F-V2.