CVE-2025-60787
published 2025-10-03CVE-2025-60787: MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to…
PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
24.42%
97.6th percentile
MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| motioneye-project | motioneye | < 0.44.0 | 0.44.0 |
| motioneye_project | motioneye | — | — |
| motioneye_project | motioneye | — | — |
| motioneye_project | motioneye | >= 0 < 0.43.1b5 | 0.43.1b5 |
| motioneye_project | motioneye | >= 0 < 0.44.0 | 0.44.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect client-side validation bypass attempts: look for browser console injection of `configUiValid = function() { return true; };` or equivalent JS overrides in web proxy/WAF logs targeting motionEye endpoints. ↗
- →Alert on motionEye configuration file writes (camera-*.conf) containing shell interpolation syntax such as `$(...)` or backtick expressions in filename parameters. ↗
- →Monitor for unexpected file creation in /tmp (e.g., /tmp/test) by the motion or motioneye process, which may indicate successful command injection via config parameter exploitation. ↗
- →A public Metasploit module exists for this CVE (linux/http/motioneye_auth_rce_cve_2025_60787); detect exploitation attempts matching Metasploit's default request patterns against motionEye HTTP endpoints. ↗
- ·Exploitation requires authenticated admin access; unauthenticated attackers cannot directly exploit this vulnerability. Ensure admin credentials are not left at default (blank password). ↗
- ·Code execution is deferred — the injected payload only executes when the motion process restarts or re-reads its configuration, not immediately upon saving the malicious value. ↗
- ·Commands execute as the user running the web server process, not necessarily root; impact depends on the privilege level of the motioneye/motion service account. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
motionEye's World-Readable Configuration File Exposes Admin Password Hash
ghsa·2026-06-22·CVSS 7.2
CVE-2026-32315 [HIGH] CWE-732 motionEye's World-Readable Configuration File Exposes Admin Password Hash
motionEye's World-Readable Configuration File Exposes Admin Password Hash
# Security Advisory: World-Readable Configuration File Exposes Admin Password Hash in motionEye
## Summary
motionEye v0.43.1 and prior versions create the configuration file `/etc/motioneye/motion.conf` with `644` permissions (`-rw-r--r--`), making it readable by any local user on the system. This file contains sensitive data including the admin password hash, which can be leveraged by other vulnerabilities to escalate privileges.
## Affected Versions
- motionEye <= 0.43.1b4
- Fixed in motionEye 0.44.0b1 (applies `0600` mode to `motion.conf` and `camera-*.conf` files)
## Vulnerability Details
### World-Readable Configuration File (CWE-732)
When motionEye writes its configuration, the file `/etc/motioneye/moti
GHSA
motionEye vulnerable to RCE via unsanitized motion config parameter
ghsa·2025-11-03
CVE-2025-60787 [HIGH] CWE-116 motionEye vulnerable to RCE via unsanitized motion config parameter
motionEye vulnerable to RCE via unsanitized motion config parameter
## Summary
A command injection vulnerability in MotionEye allows attackers to achieve Remote Code Execution (RCE) by supplying malicious values in configuration fields exposed via the Web UI. Because MotionEye writes user-supplied values directly into Motion configuration files without sanitization, attackers can inject shell syntax that is executed when the Motion process restarts. This issue enables full takeover of the MotionEye container and potentially the host environment (depending on container privileges).
## Details
### Root Cause:
MotionEye accepts arbitrary strings from fields such as **image_file_name** and **movie_filename** in the Web UI. These are written directly into **/etc/motioneye/camera-*.conf**. Whe
OSV
motionEye vulnerable to RCE via unsanitized motion config parameter
osv·2025-11-03
CVE-2025-60787 [HIGH] motionEye vulnerable to RCE via unsanitized motion config parameter
motionEye vulnerable to RCE via unsanitized motion config parameter
## Summary
A command injection vulnerability in MotionEye allows attackers to achieve Remote Code Execution (RCE) by supplying malicious values in configuration fields exposed via the Web UI. Because MotionEye writes user-supplied values directly into Motion configuration files without sanitization, attackers can inject shell syntax that is executed when the Motion process restarts. This issue enables full takeover of the MotionEye container and potentially the host environment (depending on container privileges).
## Details
### Root Cause:
MotionEye accepts arbitrary strings from fields such as **image_file_name** and **movie_filename** in the Web UI. These are written directly into **/etc/motioneye/camera-*.conf**. Whe
No detection rules found.
Exploit-DB
motionEye 0.43.1b4 - RCE
exploitdb·2026-02-11·CVSS 7.2
CVE-2025-60787 [HIGH] motionEye 0.43.1b4 - RCE
motionEye 0.43.1b4 - RCE
---
# Exploit Title: motionEye 0.43.1b4 - RCE
# Exploit PoC: motionEye RCE via client-side validation bypass (safe PoC)
# Filename: motioneye_rce_poc_edb.txt
# Author: prabhatverma47
# Date tested: 2025-05-14 (original test); prepared for submission: 2025-10-11
# Affected Versions: motionEye <= 0.43.1b4
# Tested on: Debian host running Docker; motionEye image ghcr.io/motioneye-project/motioneye:edge
# CVE(s) / References: MITRE/OSV advisories referenced: CVE-2025-60787
#
# Short description:
# Client-side validation in motionEye's web UI can be bypassed via overriding the JS validation
# function. Arbitrary values (including shell interpolation syntax) can be saved into the
# motion config. When motion is restarted, the motion process interprets the config and
#
Metasploit
Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)
metasploit·CVSS 7.2
CVE-2025-60787 [HIGH] Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)
Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)
This module exploits a template injection vulnerability in the MotionEye Frontend. MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to MotionEye Frontend configuration files, allowing remote authenticated attackers with admin access to achieve code execution. Successful exploitation will result in the command executing as the user running the web server, potentially exposing sensitive data or disrupting survey operations. An attacker can execute arbitrary system commands in the context of the user running the web server.
No writeups or analysis indexed.
2025-10-03
Published