{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/motioneye/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["motionEye (0.44.0)"],"_cs_severities":["critical"],"_cs_tags":["RCE","LFI","motioneye","vulnerability","unauthenticated","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["motionEye project"],"content_html":"\u003cp\u003eA critical multi-stage vulnerability chain in motionEye, affecting versions prior to 0.44.0, allows for unauthenticated remote code execution (RCE) under specific conditions. Attackers can exploit an arbitrary file read (Local File Inclusion or LFI) via the \u003ccode\u003epicture/\u0026lt;id\u0026gt;/download\u003c/code\u003e endpoint, specifically for local motion cameras, to extract sensitive configuration data like the admin password hash. This hash can then be used to forge authentication signatures, granting admin access without the plaintext password (a \u0026quot;pass-the-hash\u0026quot; technique). Subsequently, an unsafe configuration restore function, which extracts attacker-controlled tarballs into the \u003ccode\u003eCONF_PATH\u003c/code\u003e without proper sanitization, can be abused to drop malicious executables. Finally, an unauthenticated action execution endpoint allows for the immediate execution of these injected files, leading to full system compromise. This chain can be exploited unauthenticated if the normal user password is unset, or as an authenticated normal user to escalate to RCE.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Local Camera ID\u003c/strong\u003e: The attacker first identifies or creates a local motion camera ID, which is a prerequisite for exploiting the vulnerable LFI path in \u003ccode\u003epicture/\u0026lt;id\u0026gt;/download\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Read (LFI)\u003c/strong\u003e: The attacker sends a request to \u003ccode\u003e/picture/\u0026lt;id\u0026gt;/download/\u0026lt;absolute_path\u0026gt;\u003c/code\u003e (e.g., \u003ccode\u003e/picture/1/download/%2Fetc%2Fhosts\u003c/code\u003e) to read arbitrary files from the motionEye server's filesystem.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExtract Admin Hash\u003c/strong\u003e: Using the LFI, the attacker reads the motionEye configuration file (e.g., \u003ccode\u003e/etc/motioneye/motion.conf\u003c/code\u003e) to obtain the SHA1 hash of the \u003ccode\u003e@admin_password\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Admin Access\u003c/strong\u003e: The attacker computes a valid authentication signature for \u003ccode\u003e/config/restore?_username=admin\u003c/code\u003e using the stolen admin password hash as the key, bypassing standard authentication and gaining administrative privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUpload Malicious Archive\u003c/strong\u003e: The attacker uploads a crafted tar archive containing an executable file named \u003ccode\u003elock_\u0026lt;id\u0026gt;\u003c/code\u003e (or any valid action for a camera ID) via the now-accessible \u003ccode\u003e/config/restore\u003c/code\u003e endpoint. This executable is extracted into \u003ccode\u003eCONF_PATH\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecute Malicious Action\u003c/strong\u003e: The attacker sends an unauthenticated POST request to \u003ccode\u003e/action/\u0026lt;id\u0026gt;/lock\u003c/code\u003e. The motionEye server executes the previously injected \u003ccode\u003elock_\u0026lt;id\u0026gt;\u003c/code\u003e file via \u003ccode\u003esubprocess.Popen\u003c/code\u003e, resulting in remote code execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The injected action creates a marker file \u003ccode\u003e/tmp/meye_rce_ok\u003c/code\u003e, confirming successful remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability chain leads to critical consequences. If the normal user password is unset (a common default in some installations), an unauthenticated attacker can achieve full Remote Code Execution (RCE) on the motionEye server. If a normal user password is set, an authenticated normal user can escalate their privileges to admin and then achieve RCE. This allows for arbitrary file read on the server's filesystem and full compromise of the motionEye process account, potentially leading to data exfiltration, service disruption, or further network penetration. The impact in observed testing included creating arbitrary files on the filesystem.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch motionEye\u003c/strong\u003e: Immediately update all motionEye installations to version 0.44.0 or newer to address the vulnerabilities in \u003ccode\u003emotioneye/motioneye/handlers/picture.py\u003c/code\u003e, \u003ccode\u003emotioneye/motioneye/mediafiles.py\u003c/code\u003e, \u003ccode\u003emotioneye/motioneye/handlers/base.py\u003c/code\u003e, \u003ccode\u003emotioneye/motioneye/config.py\u003c/code\u003e, and \u003ccode\u003emotioneye/motioneye/handlers/action.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Rule \u003ccode\u003emotioneye_rce_action_execution\u003c/code\u003e\u003c/strong\u003e: Deploy the provided Sigma rule to detect suspicious process creation originating from the \u003ccode\u003emotioneye\u003c/code\u003e service account, indicating potential RCE.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003eCONF_PATH\u003c/code\u003e Permissions\u003c/strong\u003e: Ensure that the \u003ccode\u003eCONF_PATH\u003c/code\u003e (typically \u003ccode\u003e/etc/motioneye\u003c/code\u003e) has restrictive write permissions, limiting write access only to the necessary motionEye process account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegularly Review motionEye Logs\u003c/strong\u003e: Monitor \u003ccode\u003emotioneye\u003c/code\u003e service logs for unusual activity, especially for failed authentication attempts, unexpected file accesses, or process creations from the \u003ccode\u003emotioneye\u003c/code\u003e user.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:57:41Z","date_published":"2026-07-03T10:57:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-motioneye-rce-chain/","summary":"An attacker can chain multiple vulnerabilities in motionEye, including an arbitrary file read (LFI), a signature bypass using password hashes, and an unsafe configuration restore, to achieve unauthenticated remote code execution (RCE) if the normal user password is unset, or authenticated RCE from a normal user account.","title":"motionEye: LFI → Pass-the-Hash Admin → Unsafe Restore → Unauthenticated Action Execution (RCE)","url":"https://feed.craftedsignal.io/briefs/2026-07-motioneye-rce-chain/"}],"language":"en","title":"CraftedSignal Threat Feed - Motioneye","version":"https://jsonfeed.org/version/1.1"}