What happened

CISA added CVE-2018-14933 to the Known Exploited Vulnerabilities catalog on 2024-12-18, with a remediation due date of 2025-01-08 CISA KEV. The KEV entry identifies NUUO NVRmini Devices as affected and flags the product as end-of-life/end-of-service, directing users to discontinue utilization CISA KEV. By definition, inclusion in KEV indicates observed exploitation in the wild against this CVE CISA KEV.

The vulnerability is an OS command injection that enables remote command execution via shell metacharacters injected into the uploaddir parameter of a writeuploaddir command NVD entry. The MITRE record tracks the same CVE and aligns on the injection vector against the NUUO NVRmini family MITRE CVE record.

Why it matters

This is a classic OS Command Injection (CWE-78) weakness that can grant system-level command execution when user-controlled input is passed to the underlying shell without proper sanitization NVD entry. CISA’s EOL/EoS directive means you should plan removal, not patching, because the vendor device line is no longer supported per the KEV guidance for this entry CISA KEV. With active exploitation reported by KEV and no support path, these appliances represent durable footholds for attackers until physically decommissioned CISA KEV.

For risk tracking, CISA lists “Known ransomware campaign use: Unknown,” but that does not reduce urgency once a device class is KEV-listed and out of service life CISA KEV. The combination of remote command execution and surveillance/NVR placement makes this a high-leverage entry point within many environments NVD entry.

Technical detail

Per the NVD, the flaw resides in request handling for a configuration write path, where the uploaddir parameter of a writeuploaddir command is concatenated or otherwise relayed to the OS shell, enabling command injection with shell metacharacters NVD entry. The result is arbitrary command execution on the NUUO NVRmini device when an attacker supplies crafted input to that parameter MITRE CVE record. This maps directly to CWE-78 (OS Command Injection) in the NVD classification for the CVE NVD entry.

Key points tied to the public records:

• Affected product family: NUUO NVRmini Devices, per the KEV entry CISA KEV.
• Impact: Remote command execution via shell metacharacter injection into the uploaddir parameter NVD entry.
• Weakness: CWE-78 OS Command Injection mapped by NVD for CVE-2018-14933 NVD entry.

Because KEV inclusion reflects active exploitation, defenders should assume opportunistic scanning and targeted attempts that include crafted values for the writeuploaddir/uploaddir flow CISA KEV. Any processing path that forwards user-controlled strings to a shell without strict quoting/whitelisting is susceptible to metacharacter-driven execution as captured by CWE-78 NVD entry.

Defense

Action is unambiguous: the KEV entry states the impacted product is EOL/EoS and that users should discontinue utilization of NUUO NVRmini devices CISA KEV. Track decommissioning to the KEV due date (2025-01-08) if you are a covered entity and document removal to close the exposure window CISA KEV.

Short-term triage while you execute removal should prioritize identifying and validating any asset matching the NUUO NVRmini profile tied to this CVE NVD entry. If a device is discovered in production, treat it as a potential point of compromise given the KEV exploitation status and plan for immediate service retirement CISA KEV.

Detection-wise, look for transactions or config changes invoking writeuploaddir with suspicious uploaddir values consistent with metacharacter injection attempts described in the CVE NVD entry. Because this is CWE-78 class, outbound anomalies from an NVR appliance following a config call may indicate command execution success NVD entry.

Lyrie Verdict

This KEV-listed, EOL command-injection RCE is exactly where human-speed response loses. Lyrie sensors continuously profile device-specific request flows and auto-flag CVE-bound patterns like writeuploaddir calls bearing metacharacters aligned to CVE-2018-14933’s vector NVD entry. On first sighting, Lyrie isolates the NVR’s east-west talk path and suppresses follow-on execution at machine speed, without waiting for manual triage CISA KEV. We then drive enforced decommissioning workflows referencing the KEV mandate to discontinue NUUO NVRmini devices, closing this class of foothold decisively CISA KEV.