CVE-2025-60787

Vulnerability

Overview

MotionEye v0.43.1b4 and earlier contains an OS command injection vulnerability in configuration parameters such as image_file_name and movie_filename. The application writes user-supplied values directly into Motion configuration files without sanitization, allowing shell metacharacters (e.g., $(), backticks) to be interpreted when the Motion service restarts [1][3].

Exploitation

An attacker with admin access to the MotionEye web UI can bypass client-side validation (as demonstrated in a public proof-of-concept [2]) and inject arbitrary commands into these fields. The malicious input is stored in /etc/motioneye/camera-*.conf. When MotionEye restarts the Motion daemon (via motionctl.restart), the injected commands are executed with the privileges of the Motion process [3].

Impact

Successful exploitation grants remote code execution within the MotionEye container. Depending on container privileges, this could lead to host compromise. The vulnerability affects all versions up to and including 0.43.1b4. As of the advisory date, no official patch is available; a workaround involves restricting admin access and implementing additional input validation [2][3].