NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffer from an unauthenticated command injection vulnerability. Due to an undocumented and hidden debugging script, an attacker can inject and execute arbitrary code as the root user via the ‘log’ GET parameter in the ‘__debugging_center_utils___.php’ script. Included is a remote root exploit and an nse file. Versions 3.0.8 and below are affected.