CVE-2024-51482
📋 TL;DR
ZoneMinder versions 1.37.64 and earlier contain a boolean-based SQL injection vulnerability in the event.php component. This allows attackers to execute arbitrary SQL commands on the database, potentially leading to data theft, modification, or complete system compromise. All ZoneMinder installations running vulnerable versions are affected.
💻 Affected Systems
- ZoneMinder
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, remote code execution, and full system takeover.
Likely Case
Unauthorized access to surveillance footage, configuration data theft, and potential manipulation of CCTV system functionality.
If Mitigated
Limited impact with proper network segmentation, database permissions, and input validation controls in place.
🎯 Exploit Status
SQL injection vulnerabilities are typically easy to exploit once identified. The advisory suggests authentication may be required, but this should be verified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.37.65
Vendor Advisory: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-qm8h-3xvf-m7j3
Restart Required: Yes
Instructions:
1. Backup your ZoneMinder configuration and database
2. Update ZoneMinder to version 1.37.65 or later
3. Restart the ZoneMinder service
4. Verify the update was successful
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for the event.php endpoint to filter SQL injection attempts
Web Application Firewall
allDeploy a WAF with SQL injection protection rules in front of ZoneMinder
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ZoneMinder from other systems
- Apply database-level controls: use least privilege accounts, enable query logging, and implement stored procedures
🔍 How to Verify
Check if Vulnerable:
Check ZoneMinder version via web interface or command line. If version is 1.37.64 or earlier, you are vulnerable.Check Version:
zmdc.pl versionVerify Fix Applied:
After updating, verify version is 1.37.65 or later and test the event.php endpoint functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by event.php access
- SQL syntax errors in web server logs
Network Indicators:
- Unusual patterns of requests to /web/ajax/event.php
- SQL keywords in HTTP parameters
SIEM Query:
source="web_server" AND uri="/web/ajax/event.php" AND (param="SELECT" OR param="UNION" OR param="OR" OR param="AND")