CVE-2023-26039
Published: 25 February 2023
Summary
CVE-2023-26039 is a high-severity OS Command Injection (CWE-78) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 7.1 (High).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
ZoneMinder is an open source Linux-based CCTV application supporting IP, USB, and analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS command injection vulnerability (CWE-78) in the daemonControl function within web/api/app/Controller/HostController.php. The flaw allows construction of API requests that execute arbitrary shell commands.
Any authenticated user can exploit the issue over the network with low attack complexity to run commands as the web server user, resulting in partial confidentiality impact and high integrity impact according to the CVSS 7.1 score. No user interaction or special setup is required beyond valid credentials.
The GitHub security advisory GHSA-44q8-h2pw-cc9g states that the vulnerability is resolved in ZoneMinder 1.36.33 and 1.37.33. The associated EPSS score has remained flat at 0.0584 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29925
Vulnerability details
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an…
more
api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.