Vacron NVR Remote Command Injection Vulnerability Allowing Unauthenticated Remote Code Execution
Vulnerability
A remote command injection vulnerability has been identified in Vacron Network Video Recorder (NVR) devices running firmware version 1.4. This vulnerability arises from inadequate input sanitization in the 'board.cgi' script, allowing unauthenticated attackers to send crafted HTTP requests that execute arbitrary commands on the underlying operating system. The commands are executed with the privileges of the web server process, potentially leading to full device compromise.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with commands executed under the web server's privileges. This could lead to a complete compromise of the device.
Reproduction
The vulnerability can be reproduced by sending an HTTP request to 'board.cgi' with the 'cmd' parameter set to a desired command. The server will execute the command and return the output. This can be automated with a script or tool that sends HTTP requests, such as curl or a Python script using the requests library.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.