CVE-2026-27470 – ZoneMinder versions 1.36.37 and below and 1.37.... (How to Fix)

Q: What is the severity of CVE-2026-27470?

CVE-2026-27470 has a CVSS score of 8.8 (HIGH). ZoneMinder versions 1.36.37 and below and 1.37.61 through 1.38.0 contain a second-order SQL injection vulnerability in the web/ajax/status.php file. Authenticated users with Events edit and view permissions can exploit this to execute arbitrary SQL queries against the database. This affects all deployments running vulnerable versions of ZoneMinder.

📋 TL;DR

ZoneMinder versions 1.36.37 and below and 1.37.61 through 1.38.0 contain a second-order SQL injection vulnerability in the web/ajax/status.php file. Authenticated users with Events edit and view permissions can exploit this to execute arbitrary SQL queries against the database. This affects all deployments running vulnerable versions of ZoneMinder.

💻 Affected Systems

Products:

ZoneMinder

Versions: 1.36.37 and below, 1.37.61 through 1.38.0

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with default configurations are vulnerable. Requires authenticated user with Events edit and view permissions.

📦 What is this software?

Zoneminder by Zoneminder

View all CVEs affecting Zoneminder →

Zoneminder by Zoneminder

View all CVEs affecting Zoneminder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, modification, or deletion; potential privilege escalation to system-level access; installation of persistent backdoors.

🟠

Likely Case

Unauthorized access to surveillance data, manipulation of event logs, extraction of user credentials, and potential lateral movement within the network.

🟢

If Mitigated

Limited to authenticated user's permissions scope; database integrity maintained through proper input validation and parameterized queries.

🌐 Internet-Facing: HIGH - ZoneMinder is often deployed as internet-facing CCTV management software, making it accessible to attackers who obtain valid credentials.

🏢 Internal Only: MEDIUM - Requires authenticated access, but internal threats or compromised credentials could still exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and specific permissions. Second-order SQL injection requires understanding of the application flow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.36.38 or 1.38.1

Vendor Advisory: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4

Restart Required: Yes

Instructions:

1. Backup your ZoneMinder database and configuration files. 2. Download the patched version from GitHub releases. 3. Follow the ZoneMinder upgrade documentation for your specific installation method. 4. Restart the ZoneMinder service and web server.

🔧 Temporary Workarounds

Restrict User Permissions

all

Temporarily remove Events edit and view permissions from non-essential users to reduce attack surface.

# Edit ZoneMinder user permissions via web interface or database

Web Application Firewall Rules

linux

Implement WAF rules to block SQL injection patterns targeting the /web/ajax/status.php endpoint.

# Example ModSecurity rule: SecRule REQUEST_URI "@contains /web/ajax/status.php" "id:1001,phase:2,deny,status:403,msg:'Blocking SQLi attempt'"
# Add SQL injection detection patterns

🧯 If You Can't Patch

Implement strict network segmentation to isolate ZoneMinder from critical systems
Enable comprehensive logging and monitoring for SQL injection attempts and unusual database queries

🔍 How to Verify

Check if Vulnerable:

Check ZoneMinder version via web interface (Options -> About) or command line: grep ZM_VERSION /usr/share/zoneminder/includes/version.php

Check Version:

grep ZM_VERSION /usr/share/zoneminder/includes/version.php

Verify Fix Applied:

Verify version is 1.36.38 or higher, or 1.38.1 or higher. Test the vulnerable endpoint with safe SQL injection test payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by successful authentication
Requests to /web/ajax/status.php with SQL keywords in parameters

Network Indicators:

Unusual database connection patterns from ZoneMinder application server
Large data transfers from database to unexpected destinations

SIEM Query:

source="zoneminder.logs" AND (uri="/web/ajax/status.php" AND (keywords="SELECT", "UNION", "INSERT", "UPDATE", "DELETE"))

📊 Metadata

CVE ID: CVE-2026-27470

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 21, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38 Product,Release Notes
https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1 Product,Release Notes
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4 Exploit,Mitigation,Vendor Advisory
https://owasp.org/www-community/attacks/SQL_Injection Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27470, you might also want to check these: