High severity7.5NVD Advisory· Published Aug 31, 2016· Updated May 6, 2026

CVE-2016-5676

Description

cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 through 2.x, NUUO NVRsolo 1.7.5 through 2.x, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to reset the administrator password via a cmd=loaddefconfig action.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Netgear/Readynas Surveillancellm-fuzzy
Range: >=1.1.1, <=1.4.1
Nuuo/Nvrmini 2llm-fuzzy
Range: >=1.7.5, <=2.x
Nuuo/Nvrsolollm-fuzzy
Range: >=1.7.5, <=2.x

Patches

Vulnerability mechanics

Root cause

"Missing authorization check on the `loaddefconfig` action in `cgi_system` allows unauthenticated password reset."

Attack vector

An unauthenticated remote attacker sends an HTTP GET request to `/cgi-bin/cgi_system?cmd=loaddefconfig` on the affected device. No authentication or prior knowledge is required. The CGI binary processes the `loaddefconfig` command and resets the administrator password to a default value (either "admin" or "password", depending on firmware version) [ref_id=1]. This gives the attacker administrative access to the web interface [CWE-285].

Affected code

The vulnerable endpoint is `/cgi-bin/cgi_system` in the CGI binary `cgi_system`. The `cmd=loaddefconfig` action is exposed without authentication, allowing an unauthenticated attacker to reset the administrator password [ref_id=1].

What the fix does

The advisory states that firmware versions 2.2.1 and 3.0.0 of the NVRmini 2 and NVRsolo are not affected, indicating the fix was applied in those or earlier versions. However, no patch diff is provided in the bundle. The remediation is to require authentication before allowing the `loaddefconfig` action in `cgi_system`, preventing unauthenticated password resets [CWE-285]. ReadyNAS Surveillance remained vulnerable at the time of disclosure [ref_id=1].

Preconditions

authNo authentication required
configTarget must be running an affected firmware version (NVRmini 2 v1.7.5 through pre-2.2.1, NVRsolo v1.7.5 through pre-2.2.1, ReadyNAS Surveillance v1.1.1–v1.4.1)
networkAttacker must have network access to the device's web interface

Reproduction

Send a GET request to `/cgi-bin/cgi_system?cmd=loaddefconfig` on the target device. The administrator password will be reset to "admin" or "password" (depending on firmware version). The attacker can then log in with the default credentials [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.kb.cert.org/vuls/id/856152nvdThird Party AdvisoryUS Government Resource
www.securityfocus.com/bid/92318nvd
www.exploit-db.com/exploits/40200/nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.043
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000