Cyber Resilience

CVE-2025-65791

CriticalPublic PoCRCE

Published: 18 February 2026

Published
18 February 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0165 73.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-65791 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zoneminder Zoneminder. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

ZoneMinder v1.36.34 is affected by CVE-2025-65791, a command injection vulnerability (CWE-78) in the web/views/image.php component. The issue arises when the application passes unsanitized user input directly to the exec() function, potentially allowing arbitrary command execution. The vulnerability was published on 2026-02-18 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). However, it is disputed by the supplier, who asserts there is no unsanitized user input to the affected file.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no authentication, privileges, or user interaction. Successful exploitation enables arbitrary command injection, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full system compromise on the targeted ZoneMinder instance.

The primary reference is a GitHub repository at https://github.com/rishavand1/CVE-2025-65791, likely containing proof-of-concept details. No specific patches or mitigation steps are detailed in available information, though the supplier's dispute suggests reevaluation of the reported input sanitization claims. Security practitioners should monitor ZoneMinder updates and review the component for exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is a command injection (CWE-78) in a public-facing web application component (ZoneMinder web/views/image.php), enabling remote unauthenticated exploitation (T1190) for arbitrary Unix shell command execution via exec() (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27470Same product: Zoneminder Zoneminder
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78

Affected Assets

zoneminder
zoneminder
1.36.34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation and sanitization of user inputs before passing them to exec() in web/views/image.php.

prevent

Addresses the specific flaw in ZoneMinder v1.36.34 by identifying, reporting, and correcting the unsanitized input handling in image.php.

prevent

Enforces logical access controls to prevent unauthenticated remote attackers from accessing and exploiting the vulnerable web/views/image.php endpoint.

References