Video surveillance recorders RIDDLED with 0-days

There are multiple Web interface vulnerabilities in a network video recorder under Netgear’s ReadyNAS brand and various devices by video recording company NUUO.

The affected NUUO units are NVRmini 2, NVRsolo, and Crystal.

The CERT advisory lists six Common Vulnerabilities and Exposures (CVE) notices attacked to the affected products, ranging from input validation issues to buffer overruns. Under CVE-2016-5674, there’s a hidden page in the Web management interface that looks like someone wrote it while the product was under development, and forgot to take it out.