CVE-2023-26035
published 2023-02-25CVE-2023-26035: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.46%
99.6th percentile
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zoneminder | < zoneminder 1.36.33+dfsg1-1 (bookworm) | zoneminder 1.36.33+dfsg1-1 (bookworm) |
| zoneminder | zoneminder | < 1.36.33 | 1.36.33 |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | >= 0 < 1.36.33+dfsg1-1 | 1.36.33+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.33+dfsg1-1 | 1.36.33+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.33+dfsg1-1 | 1.36.33+dfsg1-1 |
| zoneminder | zoneminder | >= 1.37.00 < 1.37.33 | 1.37.33 |
Detection & IOCsextracted from sources · hover to see the quote
url/zm/index.php
commandview=snapshot&action=create&monitor_ids[0][Id]=;ping+{{interactsh-url}}&__csrf_magic={{csrf_token}}
othercsrfMagicToken = "(key:[a-f0-9]{40},\d+)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoneminder Create Snapshot Command Injection Attempt (CVE-2023-26035)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/zm/index.php"; fast_pattern; http.request_body; content:"view|3d|snapshot&action=create&monitor_ids|5b|"; content:"|5b|Id|5d 3d 3b|"; within:30; content:"&__csrf_magic|3d|key|3a|"; within:200; reference:url,attackerkb.com/topics/9s4YXM2Y4i/cve-2023-26035; reference:cve,2023-26035; classtype:attempted-admin; sid:2049214; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2023_11_15, cve CVE_2023_26035, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, reviewed_at 2024_10_02, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
- →Exploit targets the snapshot action via HTTP POST to /index.php (or /zm/index.php) with parameters view=snapshot&action=create and a monitor_ids array containing a shell command injected into the Id field (e.g., monitor_ids[0][Id]=;<command>). No authentication is required.
- →The Snort/Suricata rule detects the attack by matching POST method, URI /zm/index.php, body containing 'view=snapshot&action=create&monitor_ids[', followed within 30 bytes by '[Id]=;' (hex: |5b|Id|5d 3d 3b|), and within 200 bytes by '&__csrf_magic=key:' (hex: &__csrf_magic|3d|key|3a|). Sid 2049214.
- →Shodan and FOFA queries can identify exposed ZoneMinder instances as potential targets: search for html:"ZM - Login" or http.html:"zm - login" (Shodan) and body="zm - login" (FOFA).
- →The exploit flow requires two HTTP requests: first a GET to /index.php to extract the CSRF token (csrfMagicToken matching key:[a-f0-9]{40},\d+), then a POST with the injected payload. Detection should look for this two-step pattern from the same source.
- →The Metasploit module for this CVE is exploit/unix/webapp/zoneminder_snapshots and exploits the 'create monitor ids[]' action of the snapshot view. Presence of this module in use can be identified by its characteristic POST body structure. ↗
- ·The Nuclei template requires interactsh (out-of-band DNS callback) to confirm exploitation, as the injected command is 'ping {{interactsh-url}}'. Detection via DNS interaction is needed for blind command injection confirmation.
- ·The exploit requires a valid CSRF token extracted from the login page before the injection POST. The CSRF token is extracted via regex from the initial GET response and must be included in the POST body as __csrf_magic.
- ·Affected versions are strictly prior to 1.36.33 and 1.37.33. Fixed versions are 1.36.33 and 1.37.33. Debian bookworm, forky, sid, and trixie are resolved at 1.36.33+dfsg1-1; bullseye remains open. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.2LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-26035: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
vendor_debian·2023·CVSS 7.2
CVE-2023-26035 [HIGH] CVE-2023-26035: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
Scope: local
bookworm: resolved (fixed in 1.36.33+dfsg1-1)
bullseye: open
forky: resolved (fixed in 1.36.33+dfsg1-1)
sid: resolved (fixed in 1.36.33+dfsg1-1)
trixie: resolved (fixed in 1.36.33+dfsg1-1)
OSV
CVE-2023-26035: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras
osv·2023-02-25·CVSS 9.8
CVE-2023-26035 [CRITICAL] CVE-2023-26035: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
Suricata
ET WEB_SPECIFIC_APPS Zoneminder Create Snapshot Command Injection Attempt (CVE-2023-26035)
suricata·2023-11-15·CVSS 7.2
CVE-2023-26035 [HIGH] ET WEB_SPECIFIC_APPS Zoneminder Create Snapshot Command Injection Attempt (CVE-2023-26035)
ET WEB_SPECIFIC_APPS Zoneminder Create Snapshot Command Injection Attempt (CVE-2023-26035)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoneminder Create Snapshot Command Injection Attempt (CVE-2023-26035)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/zm/index.php"; fast_pattern; http.request_body; content:"view|3d|snapshot&action=create&monitor_ids|5b|"; content:"|5b|Id|5d 3d 3b|"; within:30; content:"&__csrf_magic|3d|key|3a|"; within:200; reference:url,attackerkb.com/topics/9s4YXM2Y4i/cve-2023-26035; reference:cve,2023-26035; classtype:attempted-admin; sid:2049214; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2023_11_15, cve CVE_2023_26035, deployment Perimeter, deployment Internal, performance_impact Low,
Metasploit
ZoneMinder Snapshots Command Injection
metasploit
ZoneMinder Snapshots Command Injection
ZoneMinder Snapshots Command Injection
This module exploits an unauthenticated command injection in zoneminder that can be exploited by appending a command to the "create monitor ids[]"-action of the snapshot view. Affected versions: < 1.36.33, < 1.37.33
Nuclei
ZoneMinder Snapshots - Command Injection
nuclei·CVSS 9.8
CVE-2023-26035 [CRITICAL] ZoneMinder Snapshots - Command Injection
ZoneMinder Snapshots - Command Injection
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id.
Template:
id: CVE-2023-26035
info:
name: ZoneMinder Snapshots - Command Injection
author: Unblvr1,whotwagner
severity: critical
description: |
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras.Vers
arXiv
CAM-LDS: Cyber Attack Manifestations for Automatic Interpretation of System Logs and Security Alerts
arxiv_fulltext·2026-03-04
CAM-LDS: Cyber Attack Manifestations for Automatic Interpretation of System Logs and Security Alerts
frontmatter
CAM-LDS: Cyber Attack Manifestations for Automatic Interpretation of System Logs and Security Alerts
Max Landauer, Wolfgang Hotwagner, Thorina Boenke, Florian Skopik, Markus Wurzenberger
organization=Austrian Institute of Technology,
addressline=Center for Digital Safety & Security,
city=Vienna,
postcode=1210,
country=Austria
## Abstract
Log data are essential for intrusion detection and forensic investigations. However, manual log analysis is tedious due to high data volumes, heterogeneous event formats, and unstructured messages. Even though many automated methods for log analysis exist, they usually still rely on domain-specific configurations such as expert-defined detection rules, handcrafted log parsers, or manual feature-engineering. Crucially, the level of automati
arXiv
AttackMate: Realistic Emulation and Automation of Cyber Attack Scenarios Across the Kill Chain
arxiv_fulltext·2026-01-20
AttackMate: Realistic Emulation and Automation of Cyber Attack Scenarios Across the Kill Chain
AttackMate: Realistic Emulation and Automation of Cyber Attack Scenarios Across the Kill Chain
Max Landauer
Austrian Institute of Technology
Vienna
Austria
[email protected]
Wolfgang Hotwagner
Austrian Institute of Technology
Vienna
Austria
[email protected]
Thorina Boenke
Austrian Institute of Technology
Vienna
Austria
[email protected]
Florian Skopik
Austrian Institute of Technology
Vienna
Austria
[email protected]
Markus Wurzenberger
Austrian Institute of Technology
Vienna
Austria
[email protected]
Landauer et al.
## Abstract
Adversary emulation tools facilitate scripting and automated execution of cyber attack chains, thereby reducing costs and manual expert effort required for security testing, cyber exercises, and intrusion
http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.htmlhttps://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29grhttp://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.htmlhttps://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
2023-02-25
Published