CVE-2025-47782
8.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Summary
motionEye is an online interface for the software motion, a video surveillance program with motion detection. In versions 0.43.1b1 through 0.43.1b3, using a constructed (camera) device path with the add/add_camera motionEye web API allows an attacker with motionEye admin user credentials to execute any command within a non-interactive shell as motionEye run user, motion by default. The vulnerability has been patched with motionEye v0.43.1b4. As a workaround, apply the patch manually.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| motioneye-project | motioneye | >= 0.43.1b1, < 0.43.1b4 | affected |
Weaknesses
- CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://github.com/motioneye-project/motioneye/security/advisories/GHSA-g5mq-prx7-c588
- https://github.com/motioneye-project/motioneye/issues/3142
- https://github.com/motioneye-project/motioneye/pull/3143
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.