CVE-2025-60787

Published: Oct 3, 2025Modified: Oct 10, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.

Affected (5)

Products: Motioneye Project: Motioneye

Motioneye Project

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Motioneye Project Motioneye	Version 0.42.1
Motioneye Project Motioneye	Version 0.43.1 beta1
Motioneye Project Motioneye	Version 0.43.1 beta2
Motioneye Project Motioneye	Version 0.43.1 beta3
Motioneye Project Motioneye	Version 0.43.1 beta4

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

http://motioneye-project.com

Source: cve@mitre.org

Broken Link

https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter

Source: cve@mitre.org

ExploitThird Party Advisory

Timeline

No history available yet.