What happened

CISA added CVE-2022-23227 to the Known Exploited Vulnerabilities (KEV) catalog on 2024-12-18, signaling confirmed exploitation in the wild (KEV inclusion is evidence of active exploitation) (CISA KEV). The entry covers NUUO NVRmini2 devices and states the product is end-of-life/end-of-service with required action to discontinue use by 2025-01-08 (CISA KEV). The vulnerability is a missing authentication flaw that lets an unauthenticated attacker upload an encrypted TAR archive and abuse it to add arbitrary users (NVD: CVE-2022-23227, MITRE CVE).

Why it matters

Missing authentication on a critical function directly enables takeover without credentials, aligning to CWE-306 (Missing Authentication for Critical Function) as assigned for this CVE (NVD: CVE-2022-23227, MITRE CVE). The ability to create arbitrary users via a crafted archive gives durable administrative access with no prior foothold, dramatically lowering attacker cost and dwell time (NVD: CVE-2022-23227). KEV listing means adversaries have already operationalized this vulnerability, so exposure is a now-problem, not a theoretical risk (CISA KEV). For organizations with legacy or unattended NVR deployments, this class of flaw is high-impact because it bypasses auth entirely rather than attempting to break it (MITRE CVE).

Technical detail

The vulnerability exists in NUUO NVRmini2 devices and is tracked as CVE-2022-23227 (NVD: CVE-2022-23227). Per the CVE description, an unauthenticated attacker can upload an encrypted TAR archive that the device processes, and this flow can be abused to add arbitrary user accounts on the system (NVD: CVE-2022-23227). This is categorized under CWE-306, reflecting that the critical function handling the archive (and resulting account manipulation) lacks required authentication checks (MITRE CVE).

The risk profile is straightforward: a network-reachable interface that processes uploaded archives without enforcing authentication allows a remote, unauthenticated actor to escalate to administrative control by injecting users into the device configuration (NVD: CVE-2022-23227). Because KEV inclusion confirms exploitation in the wild, any exposed NVRmini2 should be treated as potentially already compromised until proven otherwise (CISA KEV).

Defense

• Discontinue use. CISA’s required action for this KEV entry is explicit: the impacted NUUO NVRmini2 product line is EoL/EoS and should be removed from service, with a due date of 2025-01-08 (CISA KEV).
• Asset triage. Identify and prioritize any NUUO NVRmini2 devices in your environment for accelerated decommissioning, as they are specifically listed as the affected product for CVE-2022-23227 (NVD: CVE-2022-23227).
• Interim containment (if immediate removal is not feasible):

- Restrict management access to a tightly controlled network segment and block exposure to untrusted networks while you plan replacement (CISA KEV).

- Monitor for telltale abuse related to this CVE: attempts to upload archive files and any unexpected creation of new user accounts on NVRmini2 systems, which aligns to the described attack path via encrypted TAR upload leading to arbitrary user addition (NVD: CVE-2022-23227, MITRE CVE).

• Assume-compromise checks. Given KEV status, review NVRmini2 devices for unauthorized users and configuration anomalies consistent with archive-processing abuse (CISA KEV, NVD: CVE-2022-23227).

Lyrie Verdict

This is a no-auth, one-packet-style foothold: the device accepts an encrypted TAR upload that can be weaponized to create arbitrary users without credentials (NVD: CVE-2022-23227). KEV confirmation means real adversaries are already automating it (CISA KEV). Lyrie treats this vector as a high-priority autonomous-detection target: we model the archive-upload pathway and resulting user-creation side effects described in the CVE, then correlate them at machine speed across telemetry to flag and isolate devices before persistence takes hold (MITRE CVE, NVD: CVE-2022-23227). Concretely, that means: detecting anomalous archive-like transfers to NVRmini2 surfaces, immediate alerts when new accounts appear out-of-band relative to normal admin activity, and auto-quarantine policies for assets matching NVRmini2 fingerprints until they’re replaced (NVD: CVE-2022-23227). Against rogue AI agents that iterate faster than human response, this level of autonomous, pre-credential detection is the difference between a contained attempt and a new foothold.