cbcvebase.
CVE-2023-26035
published 2023-02-25

CVE-2023-26035: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.46%
99.6th percentile
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianzoneminder< zoneminder 1.36.33+dfsg1-1 (bookworm)zoneminder 1.36.33+dfsg1-1 (bookworm)
zoneminderzoneminder< 1.36.331.36.33
zoneminderzoneminder
zoneminderzoneminder>= 0 < 1.36.33+dfsg1-11.36.33+dfsg1-1
zoneminderzoneminder>= 0 < 1.36.33+dfsg1-11.36.33+dfsg1-1
zoneminderzoneminder>= 0 < 1.36.33+dfsg1-11.36.33+dfsg1-1
zoneminderzoneminder>= 1.37.00 < 1.37.331.37.33

Detection & IOCsextracted from sources · hover to see the quote

url/zm/index.php
commandview=snapshot&action=create&monitor_ids[0][Id]=;ping+{{interactsh-url}}&__csrf_magic={{csrf_token}}
othercsrfMagicToken = "(key:[a-f0-9]{40},\d+)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoneminder Create Snapshot Command Injection Attempt (CVE-2023-26035)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/zm/index.php"; fast_pattern; http.request_body; content:"view|3d|snapshot&action=create&monitor_ids|5b|"; content:"|5b|Id|5d 3d 3b|"; within:30; content:"&__csrf_magic|3d|key|3a|"; within:200; reference:url,attackerkb.com/topics/9s4YXM2Y4i/cve-2023-26035; reference:cve,2023-26035; classtype:attempted-admin; sid:2049214; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2023_11_15, cve CVE_2023_26035, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, reviewed_at 2024_10_02, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
  • Exploit targets the snapshot action via HTTP POST to /index.php (or /zm/index.php) with parameters view=snapshot&action=create and a monitor_ids array containing a shell command injected into the Id field (e.g., monitor_ids[0][Id]=;<command>). No authentication is required.
  • The Snort/Suricata rule detects the attack by matching POST method, URI /zm/index.php, body containing 'view=snapshot&action=create&monitor_ids[', followed within 30 bytes by '[Id]=;' (hex: |5b|Id|5d 3d 3b|), and within 200 bytes by '&__csrf_magic=key:' (hex: &__csrf_magic|3d|key|3a|). Sid 2049214.
  • Shodan and FOFA queries can identify exposed ZoneMinder instances as potential targets: search for html:"ZM - Login" or http.html:"zm - login" (Shodan) and body="zm - login" (FOFA).
  • The exploit flow requires two HTTP requests: first a GET to /index.php to extract the CSRF token (csrfMagicToken matching key:[a-f0-9]{40},\d+), then a POST with the injected payload. Detection should look for this two-step pattern from the same source.
  • The Metasploit module for this CVE is exploit/unix/webapp/zoneminder_snapshots and exploits the 'create monitor ids[]' action of the snapshot view. Presence of this module in use can be identified by its characteristic POST body structure.
  • ·The Nuclei template requires interactsh (out-of-band DNS callback) to confirm exploitation, as the injected command is 'ping {{interactsh-url}}'. Detection via DNS interaction is needed for blind command injection confirmation.
  • ·The exploit requires a valid CSRF token extracted from the login page before the injection POST. The CSRF token is extracted via regex from the initial GET response and must be included in the POST body as __csrf_magic.
  • ·Affected versions are strictly prior to 1.36.33 and 1.37.33. Fixed versions are 1.36.33 and 1.37.33. Debian bookworm, forky, sid, and trixie are resolved at 1.36.33+dfsg1-1; bullseye remains open.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.2LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.