CISA ICSA-26-148-05: CP Plus 8-Channel NVR XSS Vulnerability Detection and Remediation Guide

Introduction

CISA has issued ICSA-26-148-05, detailing a critical Cross-site Scripting (XSS) vulnerability affecting CP Plus 8-Channel Network Video Recorders (NVRs). This vulnerability, assigned a CVSS v3 score of 8.4 (High), allows attackers to execute malicious scripts in the browsers of authenticated users accessing the affected web interface. Given the prevalence of CP Plus NVRs in physical security environments—particularly in critical infrastructure sectors—this flaw presents a significant risk. Attackers can hijack administrative sessions, manipulate surveillance footage, exfiltrate sensitive credentials, and degrade system integrity. Defenders must immediately identify affected assets and apply vendor-supplied mitigations.

Technical Analysis

Affected Products and Versions

Component	Version
Hardware	CP-UNR-108F1 V1.0
Web Interface	V3.2.7.128806
System Firmware	V4.001.00AT009.0.R

Vulnerability Details

CVE Identifier: Pending assignment (referenced in CISA ICSA-26-148-05)

CVSS v3 Score: 8.4 (High)

Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') – CWE-79

Attack Mechanics

This vulnerability stems from insufficient input sanitization in the CP Plus NVR web management interface. The attack chain unfolds as follows:

Payload Injection: An attacker crafts a malicious JavaScript payload and injects it into a vulnerable parameter within the NVR's web interface (e.g., via HTTP GET/POST parameters, headers, or form fields).
Storage or Reflection: Depending on the specific flaw (stored vs. reflected), the payload is either persisted on the device or immediately reflected in the HTTP response.
Victim Access: When an authenticated user (including administrators) accesses the compromised interface endpoint, their browser executes the injected script within the security context of the NVR application.
Post-Exploitation Actions: The executing script can:
- Steal session cookies for session hijacking
- Perform unauthorized administrative actions (delete footage, modify camera settings, add rogue users)
- Exfiltrate recorded video or system configuration data
- Pivot to other systems on the management network

Exploitation Status

At the time of this advisory, exploitation is considered theoretical but highly feasible. The vulnerability has been documented through CISA's coordinated disclosure process. Given the accessibility of web management interfaces and the high value of video surveillance data, defenders should assume active scanning and exploitation attempts will occur rapidly following public disclosure.

Detection & Response

SIGMA Rules

YAML

---
title: CP Plus NVR Web Interface XSS Attempt Detection
id: csa-26-148-05-cpplus-xss-001
status: experimental
description: Detects potential XSS attack attempts against CP Plus NVR web management interface by identifying common XSS patterns in HTTP requests targeting the device.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05
 - https://attack.mitre.org/techniques/T1059/007
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1190
 - attack.execution
 - attack.t1059.007
logsource:
 category: web
detection:
 selection_target:
   cs_host|contains:
     - 'cpplus'
     - 'nvr'
   dst_port: 80
 selection_xss:
   cs_uri_query|contains:
     - '<script'
     - 'javascript:'
     - 'onerror='
     - 'onload='
     - 'alert('
     - 'document.cookie'
     - 'fromCharCode'
   or: cs_uri_query|re: '.*[<>"\'].*[<>"\'].*'
 condition: selection_target and selection_xss
falsepositives:
 - Legitimate web application testing by authorized personnel
 - Filtered web scanning tools
level: high
---
title: CP Plus NVR Admin Session Hijacking Indicators
id: csa-26-148-05-cpplus-session-002
status: experimental
description: Detects potential session hijacking of CP Plus NVR administrative interfaces by identifying multiple successful authentications from disparate geographic locations within short timeframes.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05
 - https://attack.mitre.org/techniques/T1550/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.credential_access
 - attack.t1550
 - attack.initial_access
 - attack.t1078
logsource:
 category: authentication
detection:
 selection_target:
   dst_ip|cidr:
     - '10.0.0.0/8'
     - '172.16.0.0/12'
     - '192.168.0.0/16'
   application|contains: 'http'
 selection_success:
   result: 'success'
 timeframe: 5m
 condition: selection_target and selection_success | count(dst_ip, src_ip) by dst_ip > 3
falsepositives:
 - Legitimate administrative access from multiple corporate locations
 - Authorized VPN access from distributed workforce
level: medium
---
title: CP Plus NVR Unusual Administrative Actions Pattern
id: csa-26-148-05-cpplus-actions-003
status: experimental
description: Detects suspicious administrative actions on CP Plus NVR devices that may indicate XSS exploitation, including rapid configuration changes or multiple user account modifications.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05
 - https://attack.mitre.org/techniques/T1112/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.defense_evasion
 - attack.t1112
 - attack.impact
 - attack.t1565
logsource:
 category: web
detection:
 selection_target:
   cs_host|contains:
     - 'cpplus'
     - 'nvr'
   cs_method:
     - 'POST'
     - 'PUT'
 selection_suspicious_uris:
   cs_uri_path|contains:
     - '/user'
     - '/account'
     - '/delete'
     - '/format'
     - '/config'
   or: cs_uri_path|endswith:
     - '.cgi'
     - '.php'
 selection_high_volume:
   |count() by src_ip > 10
 timeframe: 1m
 condition: selection_target and selection_suspicious_uris and selection_high_volume
falsepositives:
 - Legitimate bulk configuration changes by administrators
 - Scheduled maintenance activities
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for XSS attempts targeting CP Plus NVR interfaces
let XSSPatterns = dynamic(["<script", "javascript:", "onerror=", "onload=", "document.cookie", "fromCharCode", "eval("]);
let NVRIPRanges = dynamic(["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "192.168.1.0/24"]);
CommonSecurityLog
| where DeviceVendor in ("CP Plus", "CPPlus", "CPPLUS") or 
      Application contains "nvr" or 
      DestinationPort == 80 or 
      DestinationPort == 443
| where isnotempty(RequestURL)
| where RequestURL has_any (XSSPatterns) or 
      RequestURL matches regex @".*[<>"'\x00-\x1F].*[<>"'\x00-\x1F].*"
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, RequestURL, RequestMethod, SentBytes, ReceivedBytes
| order by TimeGenerated desc
| extend IoCType = "XSS_Pattern", TargetSystem = "CPPlus_NVR"

// Detect anomalous authentication patterns to NVR web interfaces
CommonSecurityLog
| where DeviceVendor in ("CP Plus", "CPPlus", "CPPLUS") or DestinationPort in (80, 443, 8080, 8443)
| where RequestURL contains "/login" or RequestURL contains "/auth" or RequestURL contains "/user"
| where DeviceAction == "Accepted" or DeviceAction == "Success"
| summarize AuthCount = count(), UniqueSourceIPs = dcount(SourceIP) by DestinationIP, bin(TimeGenerated, 5m)
| where AuthCount > 10 and UniqueSourceIPs > 3
| project TimeGenerated, DestinationIP, AuthCount, UniqueSourceIPs
| order by TimeGenerated desc
| extend AlertType = "Potential_Session_Hijacking", TargetSystem = "CPPlus_NVR"

// Identify potential data exfiltration from NVR interfaces
CommonSecurityLog
| where DeviceVendor in ("CP Plus", "CPPlus", "CPPLUS") or (DestinationPort == 80 and RequestURL contains "/video")
| where isnotempty(SentBytes) and toint(SentBytes) > 10485760  // > 10MB
| summarize TotalBytesExfiltrated = sum(toint(SentBytes)), ConnectionCount = count() by SourceIP, DestinationIP, bin(TimeGenerated, 1h)
| where TotalBytesExfiltrated > 104857600  // > 100MB per hour
| project TimeGenerated, SourceIP, DestinationIP, TotalBytesExfiltrated, ConnectionCount
| order by TimeGenerated desc
| extend AlertType = "Potential_Data_Exfiltration", TargetSystem = "CPPlus_NVR"

Velociraptor VQL

VQL — Velociraptor

-- Hunt for browser processes connecting to known NVR IP ranges
-- This helps identify management workstations that may have been targeted
LET NVR_IP_RANGES = cidr_expand("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")

SELECT Process.Pid, Process.Name, Process.Username, Process.CommandLine,
       Connection.RemoteAddr, Connection.RemotePort, Connection.State,
       Process.CreateTime
FROM pslist()
JOIN foreach(
    query={
        SELECT Pid, RemoteAddr, RemotePort, State
        FROM netstat(pid=Process.Pid)
        WHERE RemoteAddr IN NVR_IP_RANGES AND RemotePort IN (80, 443, 8080, 8443)
    },
    query={
        SELECT * FROM scope()
    }
) AS Connection
WHERE Process.Name =~ "(chrome|firefox|msedge|safari|opera)i"
GROUP BY Process.Pid

-- Hunt for suspicious PowerShell or script execution that may indicate
-- post-exploitation from XSS-based attacks on management workstations
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Pid AS ParentPid,
       Parent.Name AS ParentName, Parent.CommandLine AS ParentCmdLine
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Ppid
WHERE (Name =~ "powershell.exe" OR Name =~ "pwsh.exe" OR Name =~ "cmd.exe" OR Name =~ "wscript.exe" OR Name =~ "cscript.exe")
  AND (CommandLine =~ "-enc|DownloadString|IEX|Invoke-Expression|FromBase64String")
  AND CreateTime > now() - 24h
ORDER BY CreateTime DESC

Remediation Script (Bash)

Bash / Shell

#!/bin/bash
# CP Plus NVR Vulnerability Assessment and Remediation Script
# Addresses CISA ICSA-26-148-05 XSS Vulnerability
# Run with elevated privileges on management systems scanning for affected devices

set -e

# Color output for readability
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Vulnerable versions per CISA advisory
VULN_HW_VERSION="CP-UNR-108F1 V1.0"
VULN_WEB_VERSION="V3.2.7.128806"
VULN_SYS_VERSION="V4.001.00AT009.0.R"

echo -e "${YELLOW}[*] CP Plus NVR Vulnerability Scanner${NC}"
echo -e "${YELLOW}[*] CISA Advisory: ICSA-26-148-05${NC}"
echo ""

# Function to check if a device is vulnerable
check_vulnerable_device() {
    local target_ip=$1
    
    echo -e "${YELLOW}[+] Scanning device: ${target_ip}${NC}"
    
    # Check if device is responsive (HTTP)
    if curl -s --connect-timeout 3 "http://${target_ip}" > /dev/null 2>&1; then
        echo -e "${GREEN}[+] Device is responsive on port 80${NC}"
        
        # Attempt to retrieve device info page (adjust based on actual CP Plus interface)
        HTTP_RESPONSE=$(curl -s --connect-timeout 5 "http://${target_ip}" 2>&1)
        
        # Check for CP Plus identifying strings
        if echo "$HTTP_RESPONSE" | grep -qi "cp.plus\|cpplus\|nvr"; then
            echo -e "${RED}[!] Identified as CP Plus NVR device${NC}"
            
            # Try to access version information (endpoint may vary)
            VERSION_PAGE=$(curl -s --connect-timeout 5 "http://${target_ip}/version" 2>&1 || echo "UNAVAILABLE")
            
            echo "[ ] Version information:"
            echo "$VERSION_PAGE" | head -20
            
            # Flag as potentially vulnerable
            echo -e "${RED}[!] MANUAL VERIFICATION REQUIRED${NC}"
            echo "[ ] Check web interface version matches: ${VULN_WEB_VERSION}"
            echo "[ ] Check system firmware version matches: ${VULN_SYS_VERSION}"
            echo "[ ] Hardware model: ${VULN_HW_VERSION}"
            echo ""
            echo "${target_ip}" >> vulnerable_devices.txt
        else
            echo -e "${GREEN}[-] Device does not appear to be CP Plus NVR${NC}"
        fi
    else
        echo -e "${YELLOW}[-] Device not responsive on port 80${NC}"
    fi
    echo ""
}

# Scan a single IP if provided
if [ ! -z "$1" ]; then
    check_vulnerable_device "$1"
else
    # Scan common NVR IP ranges (modify for your environment)
    echo -e "${YELLOW}[*] Scanning common NVR IP ranges...${NC}"
    echo ""
    
    for subnet in 192.168.1 192.168.0 10.0.0; do
        for host in $(seq 1 254); do
            check_vulnerable_device "${subnet}.${host}" &
            # Limit concurrent scans
            if [[ $(jobs -r | wc -l) -ge 20 ]]; then
                wait
            fi
        done
    done
    wait
fi

# Summary report
echo -e "${YELLOW}[*] Scan Complete${NC}"
if [ -f vulnerable_devices.txt ]; then
    VULN_COUNT=$(wc -l < vulnerable_devices.txt)
    echo -e "${RED}[!] Potentially vulnerable devices found: ${VULN_COUNT}${NC}"
    echo "[ ] See vulnerable_devices.txt for details"
    echo ""
    echo -e "${YELLOW}[!] REMEDIATION STEPS:${NC}"
    echo "1. Isolate affected NVRs from external network access"
    echo "2. Restrict web interface access to trusted management IPs only"
    echo "3. Apply vendor patches immediately when available"
    echo "4. Review authentication logs for suspicious activity"
    echo "5. Rotate all admin credentials post-patch"
else
    echo -e "${GREEN}[!] No vulnerable devices detected${NC}"
fi

# Network segmentation recommendation
echo ""
echo -e "${YELLOW}[+] Temporary Mitigation - iptables rules for restricting access:${NC}"
echo "# Apply on management gateway/firewall"
echo "# Replace TRUSTED_ADMIN_SUBNET with your admin network"
echo "iptables -A INPUT -p tcp -dport 80 -s TRUSTED_ADMIN_SUBNET -j ACCEPT"
echo "iptables -A INPUT -p tcp -dport 443 -s TRUSTED_ADMIN_SUBNET -j ACCEPT"
echo "iptables -A INPUT -p tcp -dport 80 -j DROP"
echo "iptables -A INPUT -p tcp -dport 443 -j DROP"

Remediation

Immediate Actions

Network Segmentation: Isolate affected CP Plus NVRs from untrusted networks. Implement VLANs to separate video surveillance infrastructure from general corporate networks. Restrict web interface access (TCP ports 80/443) to known administrative workstations only.
Access Controls: Disable remote web management where not operationally required. If remote access is necessary, enforce VPN connectivity with MFA prior to accessing the NVR interface.
Session Hygiene: Invalidate all existing administrative sessions and force re-authentication. Require administrators to log out of active sessions and close browser windows.

Patching and Firmware Updates

Monitor the CP Plus official security advisory page for the release of firmware updates addressing this XSS vulnerability. When patches become available:

Test firmware updates in a non-production environment first
Schedule updates during maintenance windows to minimize operational impact
Verify update success by confirming the patched version numbers exceed the vulnerable versions listed above
Retain configuration backups prior to applying firmware updates

Configuration Hardening

Until patches are available, implement the following defensive measures:

Content Security Policy (CSP): If a reverse proxy sits in front of the NVR interface, implement strict CSP headers to mitigate XSS impact
Input Validation at Network Edge: Deploy WAF rules to block common XSS patterns (e.g., <script, javascript:, onerror=) destined for NVR IP ranges
Browser Isolation: Require administrators to access NVR interfaces from isolated browser sessions or dedicated workstations

Monitoring and Logging

Enable comprehensive logging on the NVR devices and upstream network infrastructure:

Log all HTTP requests to the NVR web interface
Monitor for failed authentication attempts
Alert on administrative configuration changes
Correlate NVR access logs with SIEM detection rules provided above

CISA Compliance Deadlines

Per CISA ICS-CERT recommendations for ICS vulnerabilities:

Within 48 hours: Implement network containment and access restrictions
Within 7 days: Complete risk assessment and inventory of affected devices
Within 30 days: Apply patches when available or implement compensating controls

Official Vendor Advisory Resources

CISA Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-05
CP Plus Support: Contact the vendor directly for firmware updates and security bulletins specific to the CP-UNR-108F1 model

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub