Cyber Resilience

CVE-2023-26039

HighRCE

Published: 25 February 2023

Published
25 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0584 90.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26039 is a high-severity OS Command Injection (CWE-78) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

ZoneMinder is an open source Linux-based CCTV application supporting IP, USB, and analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS command injection vulnerability (CWE-78) in the daemonControl function within web/api/app/Controller/HostController.php. The flaw allows construction of API requests that execute arbitrary shell commands.

Any authenticated user can exploit the issue over the network with low attack complexity to run commands as the web server user, resulting in partial confidentiality impact and high integrity impact according to the CVSS 7.1 score. No user interaction or special setup is required beyond valid credentials.

The GitHub security advisory GHSA-44q8-h2pw-cc9g states that the vulnerability is resolved in ZoneMinder 1.36.33 and 1.37.33. The associated EPSS score has remained flat at 0.0584 with no material increase since disclosure.

EU & UK References

Vulnerability details

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an…

more

api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zoneminder
zoneminder
≤ 1.36.33 · 1.37.00 — 1.37.33

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References