Cyber Resilience

CVE-2022-29806

CriticalPublic PoC

Published: 26 April 2022

Published
26 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7876 99.1th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29806 is a critical-severity Path Traversal (CWE-22) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ZoneMinder before version 1.36.13 contains a path traversal vulnerability (CWE-22) that permits remote code execution when an invalid language setting is supplied. The flaw is made more exploitable by the application's ability to write a debug log file to an arbitrary pathname on the server.

Unauthenticated remote attackers can supply a crafted language value over the network to trigger code execution, achieving full confidentiality, integrity, and availability impact without any user interaction or credentials. The CVSS 9.8 score reflects the network-accessible, low-complexity nature of the attack.

Public references point to an official fix released in ZoneMinder 1.36.13, accompanied by a specific commit that addresses the language-handling and log-file path issues; administrators are advised to upgrade to this or later versions. The associated EPSS score reached a peak of 0.8865 and currently stands at 0.7876.

EU & UK References

Vulnerability details

ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zoneminder
zoneminder
≤ 1.36.13

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References