CVE-2025-60787

Name of the Vulnerable Software and Affected Versions MotionEye versions 0.43.1b4 and earlier

Description MotionEye is susceptible to a command injection issue that allows attackers to achieve Remote Code Execution (RCE). The vulnerability arises because MotionEye writes user-supplied values directly into Motion configuration files without proper sanitization. Specifically, values provided in configuration fields exposed through the Web UI, such as image file name and movie filename, are written to /etc/motioneye/camera-*.conf. When the Motion service restarts, the Motion binary parses these configuration files, interpreting injected characters as shell commands. This allows attackers to execute arbitrary code, potentially gaining full control of the MotionEye container and, depending on container privileges, the host environment. The vulnerability is exploitable by remote authenticated attackers with admin access. Client-side validation can be bypassed by overriding the validation function in the browser console. A proof of concept demonstrates the ability to create files with root permissions and establish a reverse shell connection.

Recommendations Versions prior to 0.43.1b4 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.