CVE-2024-3850 Uniview CVE debrief

Who should care

Organizations operating Uniview NVR301-04S2-P4 video surveillance systems, physical security teams, OT/ICS security practitioners, and network administrators responsible for video management infrastructure.

Technical summary

The Uniview NVR301-04S2-P4 contains a reflected cross-site scripting vulnerability in the /LAPI/ directory. Both authenticated and unauthenticated pages are affected. The vulnerability allows JavaScript execution via crafted URLs, though session data exfiltration is not possible, limiting the attack scope. The issue was remediated in firmware version NVR-B3801.20.17.240507.

Defensive priority

medium

Recommended defensive actions

• Upgrade to Uniview NVR-B3801.20.17.240507 or later. Contact your local dealer, Uniview Service Hotline, or regional technical support for assistance obtaining the fixed version.
• Implement network segmentation to restrict access to NVR management interfaces from untrusted networks.
• Apply defense-in-depth controls including web application firewalls (WAF) with XSS filtering rules for /LAPI/ endpoints.
• Train users to recognize and avoid clicking suspicious URLs, particularly those targeting video management systems.
• Monitor for anomalous requests to /LAPI/ paths containing script payloads as indicators of attempted exploitation.

Evidence notes

CISA ICS advisory ICSA-24-156-01 (Update A) published June 4, 2024, modified September 24, 2024. CVSS 3.1 score 6.1 (MEDIUM). Affected versions: < NVR-B3801.20.17.240507. Fixed version: NVR-B3801.20.17.240507.

Official resources