CVE-2021-44255

Vulnerability

The vulnerability exists in MotionEye versions ≤0.42.1 and MotionEyeOS ≤20200606. The application allows an authenticated administrator to upload a configuration backup file. The backup is processed using Python's pickle module, which can deserialize arbitrary Python objects, leading to code execution. The affected code path is reachable through the backup/restore functionality in the web interface [1][2].

Exploitation

An attacker requires administrator-level credentials to access the web GUI. The attacker prepares a malicious Python pickle payload embedded in a specially crafted configuration backup file (e.g., containing a tasks.pickle file). Once uploaded, the application deserializes the pickle data without validation, triggering execution of the attacker's code on the server [1][4]. No user interaction beyond the upload is needed; the execution occurs during the restore process.

Impact

Successful exploitation results in remote code execution with the privileges of the motionEye process (typically the motion user or root, depending on the deployment). The attacker can execute arbitrary commands, potentially leading to full compromise of the surveillance system, including access to camera feeds, stored data, and the underlying OS [1][2][4].

Mitigation

As of the available references, the vendor has not released a patched version fixing this specific issue. The GitHub repository for motionEye shows version 0.43 introduced multilingual support but no explicit fix for the pickle deserialization [3]. Users should restrict network access to the motionEye web interface, enforce strong admin passwords, and avoid uploading untrusted backup files. If possible, disable or restrict the backup/restore functionality. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.