CVE-2025-65791
Received Received - Intake
Command Injection in ZoneMinder image.php Allows Remote Code Execution

Publication date: 2026-02-18

Last updated on: 2026-03-11

Assigner: MITRE

Description
ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65791
EUVD
EUVD-2025-207780
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoneminder zoneminder 1.36.34
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-65791 is a critical command injection vulnerability in ZoneMinder version 1.36.34, specifically in the web/views/image.php file.

The vulnerability occurs because the application passes user input directly to the PHP exec() function without proper sanitization or validation.

This allows remote attackers to inject shell commands and execute arbitrary system commands on the server, potentially without authentication in some configurations.

Attackers can exploit this flaw to run arbitrary OS commands, read, modify or delete sensitive files, establish reverse shells, escalate privileges, and possibly fully compromise the affected server.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of system commands on the server hosting ZoneMinder.

  • Attackers can read, modify, or delete sensitive files.
  • They can establish reverse shells to maintain persistent access.
  • Privilege escalation is possible depending on the permissions of the ZoneMinder service.
  • The entire server could be fully compromised, affecting confidentiality, integrity, and availability of the system.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the web/views/image.php endpoint of ZoneMinder version 1.36.34 for command injection. A common method is to append shell metacharacters or commands to the 'when' parameter in the URL and observe if arbitrary commands are executed."}, {'type': 'list_item', 'content': 'Use a command like: curl "http://<target>/web/views/image.php?when=now;id" to check if the system executes the appended \'id\' command.'}, {'type': 'list_item', 'content': 'Monitor network traffic for unusual or unexpected command execution patterns originating from the ZoneMinder web service.'}, {'type': 'list_item', 'content': "Check server logs for suspicious requests containing shell metacharacters or command injection attempts targeting the 'when' parameter."}] [1]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of exec() with user-controlled input and implementing strict input validation and allowlists to prevent injection.

  • Apply vendor patches when they become available.
  • Use safe system call wrappers such as escapeshellarg() to sanitize inputs before passing them to system commands.
  • Restrict web service privileges by following the principle of least privilege to limit the impact of any successful exploitation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65791. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart