Skip to main content
Mallory
Back to vulnerabilities
HighPublic exploit

Authenticated Command Injection in Xiongmai NVR Upgrade Service

IdentifiersCVE-2022-45045CWE-78· Improper Neutralization of Special…

CVE-2022-45045 affects multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000. The vulnerability is an authenticated remote OS command injection in the proprietary service listening on TCP port 34567, specifically in the device upgrade logic. An attacker who can authenticate to the device can submit a crafted JSON file as part of an upgrade request and cause arbitrary operating system commands to be executed with root privileges. The issue has been observed exploited in the wild since approximately 2019. The content also indicates that default or weak credentials, including admin:tlJwpbo6, may make the authentication requirement trivial in practice on exposed devices.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in arbitrary command execution as root on the target device. This gives an attacker full control of the appliance, including the ability to start remote access services such as telnetd, modify system state, deploy botnet malware, maintain persistence, interfere with device operation, and use the device as a foothold for further network activity. Observed in-the-wild payloads opened telnetd on port 9001 and used long sleep commands to keep the device from rebooting and to hold the upgrade channel, indicating practical post-exploitation persistence and remote administration.

Mitigation

If you can’t patch tonight, do this now.

Do not expose the device management and proprietary service on TCP port 34567 to the public internet. Restrict access to trusted management networks only, using firewall ACLs or network segmentation. Change default credentials immediately and audit for credential reuse or leakage, especially because the content notes that authentication may be bypassed operationally through default credentials or credentials disclosed by CVE-2017-7577. Disable or tightly control remote upgrade functionality where possible. Monitor for unexpected telnet exposure, especially port 9001, and for suspicious upgrade requests or long-running sleep/telnetd command patterns. If compromise is suspected, isolate the device, reflash with trusted firmware, rotate credentials, and inspect for persistence.

Remediation

Patch, then assume compromise.

Apply vendor firmware updates that address the port 34567 upgrade command-injection path. The provided content states that Xiongmai had applied patches by at least 2021 to prevent attackers from using this mechanism to execute telnetd, and also modified upgrade logic around 2020 to require filesystem files, add a digital-signature check, and block scripts containing "telnetd." Because many internet-facing devices reportedly still run older firmware and rebranded products may lag in updates, operators should obtain the latest fixed firmware from the device vendor or OEM and verify whether the specific rebranded model has received the Xiongmai fix. Devices that cannot be updated should be considered exposed and high risk.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
XiongmaitechMbd6304thardware
XiongmaitechMbd6304t Firmwareoperating_system
XiongmaitechNbd6808t-Plhardware
XiongmaitechNbd6808t-Pl Firmwareoperating_system
XiongmaitechNbd7004t-Phardware
XiongmaitechNbd7004t-P Firmwareoperating_system
XiongmaitechNbd7008t-Phardware
XiongmaitechNbd7008t-P Firmwareoperating_system
XiongmaitechNbd7016t-F-V2hardware
XiongmaitechNbd7016t-F-V2 Firmwareoperating_system
XiongmaitechNbd7024h-Phardware
XiongmaitechNbd7024h-P Firmwareoperating_system
XiongmaitechNbd7024t-Phardware
XiongmaitechNbd7024t-P Firmwareoperating_system
XiongmaitechNbd7804r-F(Ep)hardware
XiongmaitechNbd7804r-F(Ep) Firmwareoperating_system
XiongmaitechNbd7804r-F(Hdmi)hardware
XiongmaitechNbd7804r-F(Hdmi) Firmwareoperating_system
XiongmaitechNbd7804r-Fwhardware
XiongmaitechNbd7804r-Fw Firmwareoperating_system
XiongmaitechNbd7804t-Plhardware
XiongmaitechNbd7804t-Pl Firmwareoperating_system
XiongmaitechNbd7808r-Pl(Ep)hardware
XiongmaitechNbd7808r-Pl(Ep) Firmwareoperating_system
XiongmaitechNbd7808r-Pl(Hdmi)hardware
XiongmaitechNbd7808r-Pl(Hdmi) Firmwareoperating_system
XiongmaitechNbd7808t-Plhardware
XiongmaitechNbd7808t-Pl Firmwareoperating_system
XiongmaitechNbd7904r-Fshardware
XiongmaitechNbd7904r-Fs Firmwareoperating_system
XiongmaitechNbd7904t-Phardware
XiongmaitechNbd7904t-P Firmwareoperating_system
XiongmaitechNbd7904t-Plhardware
XiongmaitechNbd7904t-Pl Firmwareoperating_system
XiongmaitechNbd7904t-Pl-Xpoehardware
XiongmaitechNbd7904t-Pl-Xpoe Firmwareoperating_system
XiongmaitechNbd7904t-Plc-Xpoehardware
XiongmaitechNbd7904t-Plc-Xpoe Firmwareoperating_system
XiongmaitechNbd7904t-Qhardware
XiongmaitechNbd7904t-Q Firmwareoperating_system
XiongmaitechNbd7908t-Qhardware
XiongmaitechNbd7908t-Q Firmwareoperating_system
XiongmaitechNbd8004r-Pl(Ep)hardware
XiongmaitechNbd8004r-Pl(Ep) Firmwareoperating_system
XiongmaitechNbd8004r-Yl(Ep)hardware
XiongmaitechNbd8004r-Yl(Ep) Firmwareoperating_system
XiongmaitechNbd8004t-Qhardware
XiongmaitechNbd8004t-Q Firmwareoperating_system
XiongmaitechNbd8008r-Plhardware
XiongmaitechNbd8008r-Pl Firmwareoperating_system
XiongmaitechNbd8008r-Pl(Ep)hardware
XiongmaitechNbd8008r-Pl(Ep) Firmwareoperating_system
XiongmaitechNbd8008r-Yl(Ep)hardware
XiongmaitechNbd8008r-Yl(Ep) Firmwareoperating_system
XiongmaitechNbd8008ra-Glhardware
XiongmaitechNbd8008ra-Gl Firmwareoperating_system
XiongmaitechNbd8008ra-Glkhardware
XiongmaitechNbd8008ra-Glk Firmwareoperating_system
XiongmaitechNbd8008ra-Ul(Ep)hardware
XiongmaitechNbd8008ra-Ul(Ep) Firmwareoperating_system
XiongmaitechNbd8008ra-Ulahardware
XiongmaitechNbd8008ra-Ula Firmwareoperating_system
XiongmaitechNbd8008ra-Ulkhardware
XiongmaitechNbd8008ra-Ulk Firmwareoperating_system
XiongmaitechNbd8008t-Qhardware
XiongmaitechNbd8008t-Q Firmwareoperating_system
XiongmaitechNbd8009s-Ula-V2hardware
XiongmaitechNbd8009s-Ula-V2 Firmwareoperating_system
XiongmaitechNbd8010s-Kl-V2hardware
XiongmaitechNbd8010s-Kl-V2 Firmwareoperating_system
XiongmaitechNbd8016r-Ulhardware
XiongmaitechNbd8016r-Ul Firmwareoperating_system
XiongmaitechNbd8016ra-K(Ep)hardware
XiongmaitechNbd8016ra-K(Ep) Firmwareoperating_system
XiongmaitechNbd8016ra-Ulhardware
XiongmaitechNbd8016ra-Ul Firmwareoperating_system
XiongmaitechNbd8016ra-Ul(Ep)hardware
XiongmaitechNbd8016ra-Ul(Ep) Firmwareoperating_system
XiongmaitechNbd8016ra-Ulahardware
XiongmaitechNbd8016ra-Ula Firmwareoperating_system
XiongmaitechNbd8016ra-Ulkhardware
XiongmaitechNbd8016ra-Ulk Firmwareoperating_system
XiongmaitechNbd8016s-Kl-V2hardware
XiongmaitechNbd8016s-Kl-V2 Firmwareoperating_system
XiongmaitechNbd8016s-Ula-V2hardware
XiongmaitechNbd8016s-Ula-V2 Firmwareoperating_system
XiongmaitechNbd8016t-Q-V2hardware
XiongmaitechNbd8016t-Q-V2 Firmwareoperating_system
XiongmaitechNbd8025r-Ulhardware
XiongmaitechNbd8025r-Ul Firmwareoperating_system
XiongmaitechNbd8032h4-Phardware
XiongmaitechNbd8032h4-P Firmwareoperating_system
XiongmaitechNbd8032h4-Qhardware
XiongmaitechNbd8032h4-Q Firmwareoperating_system
XiongmaitechNbd8032h4-Qehardware
XiongmaitechNbd8032h4-Qe Firmwareoperating_system
XiongmaitechNbd8032h4-Ulhardware
XiongmaitechNbd8032h4-Ul Firmwareoperating_system
XiongmaitechNbd8032h8-Phardware
XiongmaitechNbd8032h8-P Firmwareoperating_system
XiongmaitechNbd8032h8-Qehardware
XiongmaitechNbd8032h8-Qe Firmwareoperating_system
XiongmaitechNbd8032ra-Ul-V2hardware
XiongmaitechNbd8032ra-Ul-V2 Firmwareoperating_system
XiongmaitechNbd8064h8-Phardware
XiongmaitechNbd8064h8-P Firmwareoperating_system
XiongmaitechNbd80n16ra-Klhardware
XiongmaitechNbd80n16ra-Kl Firmwareoperating_system
XiongmaitechNbd80n16ra-Kl(Ep)hardware
XiongmaitechNbd80n16ra-Kl(Ep) Firmwareoperating_system
XiongmaitechNbd80s08s-Kl(Ep)hardware
XiongmaitechNbd80s08s-Kl(Ep) Firmwareoperating_system
XiongmaitechNbd80s10s-Klhardware
XiongmaitechNbd80s10s-Kl Firmwareoperating_system
XiongmaitechNbd80s16s-Klhardware
XiongmaitechNbd80s16s-Kl Firmwareoperating_system
XiongmaitechNbd80s16s-Kl(Ep)hardware
XiongmaitechNbd80s16s-Kl(Ep) Firmwareoperating_system
XiongmaitechNbd80x09ra-Klhardware
XiongmaitechNbd80x09ra-Kl Firmwareoperating_system
XiongmaitechNbd80x09s-Klhardware
XiongmaitechNbd80x09s-Kl Firmwareoperating_system
XiongmaitechNbd88x09s-Klhardware
XiongmaitechNbd88x09s-Kl Firmwareoperating_system
XiongmaitechNbd8904r-Plhardware
XiongmaitechNbd8904r-Pl Firmwareoperating_system
XiongmaitechNbd8904r-Ylhardware
XiongmaitechNbd8904r-Yl Firmwareoperating_system
XiongmaitechNbd8904t-Gsc-Xpoehardware
XiongmaitechNbd8904t-Gsc-Xpoe Firmwareoperating_system
XiongmaitechNbd8904t-Qhardware
XiongmaitechNbd8904t-Q Firmwareoperating_system
XiongmaitechNbd8908r-Plhardware
XiongmaitechNbd8908r-Pl Firmwareoperating_system
XiongmaitechNbd8908r-Ylhardware
XiongmaitechNbd8908r-Yl Firmwareoperating_system
XiongmaitechNbd8908t-Pl-Xpoehardware
XiongmaitechNbd8908t-Pl-Xpoe Firmwareoperating_system
XiongmaitechNbd8908t-Plc-Xpoehardware
XiongmaitechNbd8908t-Plc-Xpoe Firmwareoperating_system
XiongmaitechNbd8916f4-Qhardware
XiongmaitechNbd8916f4-Q Firmwareoperating_system
XiongmaitechNbd8916f8-Qhardware
XiongmaitechNbd8916f8-Q Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
vulncheck blogNews
Mar 9, 2023
The VulnCheck 2022 Exploited Vulnerability Report - Missing CISA KEV Catalog Entries

Unknown

Read more
vulncheck blogNews
Nov 30, 2022
Xiongmai IoT Exploitation

An authenticated remote command execution flaw in the proprietary service on TCP/34567 (upgrade logic). Attackers execute shell commands (commonly to start telnetd on 9001 and sleep to hold the device), often leveraging default credentials or credential disclosure via CVE-2017-7577.

Read more
vulncheck blogNews
Nov 30, 2022
Xiongmai IoT Exploitation

An authenticated remote command execution flaw in the proprietary service on TCP/34567 (upgrade logic). Attackers execute shell commands (commonly to start telnetd on 9001 and sleep to hold the device), often leveraging default credentials or credential disclosure via CVE-2017-7577.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2022-45045
NVD
nvd.nist.gov/vuln/detail/CVE-2022-45045
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Third Party Advisory
vulncheck.com/blog/xiongmai-iot-exploitation