CVE-2025-65791

CriticalPublic PoCRCE

Published: 18 February 2026

Published

18 February 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65791 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates command injection by requiring validation and sanitization of user inputs before passing them to exec() in web/views/image.php.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in ZoneMinder v1.36.34 by identifying, reporting, and correcting the unsanitized input handling in image.php.

AC-3 Access Enforcement good match

prevent

Enforces logical access controls to prevent unauthenticated remote attackers from accessing and exploiting the vulnerable web/views/image.php endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection (CWE-78) in a public-facing web application component (ZoneMinder web/views/image.php), enabling remote unauthenticated exploitation (T1190) for arbitrary Unix shell command execution via exec() (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

Deeper analysisAI

ZoneMinder v1.36.34 is affected by CVE-2025-65791, a command injection vulnerability (CWE-78) in the web/views/image.php component. The issue arises when the application passes unsanitized user input directly to the exec() function, potentially allowing arbitrary command execution. The vulnerability was published on 2026-02-18 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). However, it is disputed by the supplier, who asserts there is no unsanitized user input to the affected file.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no authentication, privileges, or user interaction. Successful exploitation enables arbitrary command injection, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full system compromise on the targeted ZoneMinder instance.

The primary reference is a GitHub repository at https://github.com/rishavand1/CVE-2025-65791, likely containing proof-of-concept details. No specific patches or mitigation steps are detailed in available information, though the supplier's dispute suggests reevaluation of the reported input sanitization claims. Security practitioners should monitor ZoneMinder updates and review the component for exposure.