CVE-2025-65791

CriticalPublic PoC

Published: 18 February 2026

Published

18 February 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates command injection by requiring validation and sanitization of user inputs before passing them to exec() in web/views/image.php.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in ZoneMinder v1.36.34 by identifying, reporting, and correcting the unsanitized input handling in image.php.

AC-3 Access Enforcement good match

prevent

Enforces logical access controls to prevent unauthenticated remote attackers from accessing and exploiting the vulnerable web/views/image.php endpoint.

Security SummaryAI

ZoneMinder v1.36.34 is affected by CVE-2025-65791, a command injection vulnerability (CWE-78) in the web/views/image.php component. The issue arises when the application passes unsanitized user input directly to the exec() function, potentially allowing arbitrary command execution. The vulnerability was published on 2026-02-18 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). However, it is disputed by the supplier, who asserts there is no unsanitized user input to the affected file.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no authentication, privileges, or user interaction. Successful exploitation enables arbitrary command injection, granting high-impact access to confidentiality, integrity, and availability, potentially leading to full system compromise on the targeted ZoneMinder instance.

The primary reference is a GitHub repository at https://github.com/rishavand1/CVE-2025-65791, likely containing proof-of-concept details. No specific patches or mitigation steps are detailed in available information, though the supplier's dispute suggests reevaluation of the reported input sanitization claims. Security practitioners should monitor ZoneMinder updates and review the component for exposure.

Details

CWE(s): CWE-78

Affected Products

zoneminder

1.36.34

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection (CWE-78) in a public-facing web application component (ZoneMinder web/views/image.php), enabling remote unauthenticated exploitation (T1190) for arbitrary Unix shell command execution via exec() (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/rishavand1/CVE-2025-65791
Exploit, Third Party Advisory · cve@mitre.org