cbcvebase.
CVE-2013-0232
published 2013-03-20

CVE-2013-0232: includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in…

PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
47.89%
98.7th percentile
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianzoneminder< zoneminder 1.25.0-4 (bookworm)zoneminder 1.25.0-4 (bookworm)
zoneminderzoneminder
zoneminderzoneminder
zoneminderzoneminder
zoneminderzoneminder
zoneminderzoneminder
zoneminderzoneminder
zoneminderzoneminder>= 0 < 1.25.0-41.25.0-4
zoneminderzoneminder>= 0 < 1.25.0-41.25.0-4
zoneminderzoneminder>= 0 < 1.25.0-41.25.0-4
zoneminderzoneminder>= 0 < 1.25.0-41.25.0-4

Detection & IOCsextracted from sources · hover to see the quote

pathincludes/functions.php
pathincludes/actions.php
commandview=none&action=state&runState=start;{command}%26
  • Monitor HTTP POST requests to index.php containing 'action=state' with shell metacharacters (;, &, |) in the 'runState' parameter, which indicates exploitation of the packageControl command injection.
  • Monitor HTTP POST requests to index.php containing shell metacharacters in the 'key' or 'command' parameters targeting the setDeviceStatusX10 function.
  • Exploitation requires prior authentication; monitor for login attempts with default credentials (admin/admin) to ZoneMinder followed by POST requests to index.php with action=state.
  • Detect ZoneMinder versions 1.24.x and 1.25.0 in HTTP responses as vulnerable targets; response body matching /v1.2(4\.\d+|5\.0)/ indicates a vulnerable instance.
  • ·The vulnerability is exploitable only by authenticated users; unauthenticated exploitation is not possible.
  • ·The default application path used by the Metasploit module is /zm/; installations at non-default paths will require adjusted detection rules.
  • ·Executed commands run under the privileges of the web server user, not root; impact is bounded by web server account permissions.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.