CVE-2025-60787

MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as image_file_name. Unsanitized user input is written to Motion configuration files, allowing remote authenticated attackers with admin access to achieve code execution when Motion is restarted.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CISA-ADPADP
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
motioneye_projectmotioneye
0.42.1
motioneye_projectmotioneye
0.43.1:beta1
motioneye_projectmotioneye
0.43.1:beta2
motioneye_projectmotioneye
0.43.1:beta3
motioneye_projectmotioneye
0.43.1:beta4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://motioneye-project.com
https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter