CVE-2025-65791
Command Injection in ZoneMinder image.php Allows Remote Code Execution
Publication date: 2026-02-18
Last updated on: 2026-03-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneminder | zoneminder | 1.36.34 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65791 is a critical command injection vulnerability in ZoneMinder version 1.36.34, specifically in the web/views/image.php file.
The vulnerability occurs because the application passes user input directly to the PHP exec() function without proper sanitization or validation.
This allows remote attackers to inject shell commands and execute arbitrary system commands on the server, potentially without authentication in some configurations.
Attackers can exploit this flaw to run arbitrary OS commands, read, modify or delete sensitive files, establish reverse shells, escalate privileges, and possibly fully compromise the affected server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of system commands on the server hosting ZoneMinder.
- Attackers can read, modify, or delete sensitive files.
- They can establish reverse shells to maintain persistent access.
- Privilege escalation is possible depending on the permissions of the ZoneMinder service.
- The entire server could be fully compromised, affecting confidentiality, integrity, and availability of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the web/views/image.php endpoint of ZoneMinder version 1.36.34 for command injection. A common method is to append shell metacharacters or commands to the 'when' parameter in the URL and observe if arbitrary commands are executed."}, {'type': 'list_item', 'content': 'Use a command like: curl "http://<target>/web/views/image.php?when=now;id" to check if the system executes the appended \'id\' command.'}, {'type': 'list_item', 'content': 'Monitor network traffic for unusual or unexpected command execution patterns originating from the ZoneMinder web service.'}, {'type': 'list_item', 'content': "Check server logs for suspicious requests containing shell metacharacters or command injection attempts targeting the 'when' parameter."}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of exec() with user-controlled input and implementing strict input validation and allowlists to prevent injection.
- Apply vendor patches when they become available.
- Use safe system call wrappers such as escapeshellarg() to sanitize inputs before passing them to system commands.
- Restrict web service privileges by following the principle of least privilege to limit the impact of any successful exploitation.