CVE-2025-1338
Published: 16 February 2025
Description
A vulnerability was found in NUUO Camera up to 20250203. It has been declared as critical. This vulnerability affects the function print_file of the file /handle_config.php. The manipulation of the argument log leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1338 is a critical command injection vulnerability affecting NUUO Camera software versions up to 20250203. The flaw exists in the print_file function of the /handle_config.php file, where manipulation of the "log" argument enables arbitrary command injection. Classified under CWE-74 and CWE-77, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-16.
Remote attackers can exploit this vulnerability over the network without authentication, privileges, or user interaction, due to its low attack complexity. By injecting malicious commands via the "log" parameter, attackers can achieve limited impacts on confidentiality, integrity, and availability, potentially leading to unauthorized command execution on the device.
Advisories from VulDB indicate that the exploit has been publicly disclosed via references including a Baidu share link and may be actively used. The vendor was contacted early regarding the issue but provided no response, and no patches or specific mitigations are detailed in the available information.
Details
- CWE(s)