CVE-2016-10140

HIGH

Apache HTTP Server/ZoneMinder <1.30-1.29 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-10140. PoCs published by asaotomo.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2016-10140, an authentication bypass and information disclosure vulnerability in ZoneMinder v1.30 and v1.29. The exploit sends a crafted HTTP request to read arbitrary files (e.g., /etc/passwd) via path traversal.

Description

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.

Exploits (1)

nomisec WORKING POC 8 stars
by asaotomo · poc
https://github.com/asaotomo/CVE-2016-10140-Zoneminder-Poc

This repository contains a functional Python script that exploits CVE-2016-10140, an authentication bypass and information disclosure vulnerability in ZoneMinder v1.30 and v1.29. The exploit sends a crafted HTTP request to read arbitrary files (e.g., /etc/passwd) via path traversal.

Classification
Working Poc 95%
Attack Type
Info Leak | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: ZoneMinder v1.30 and v1.29
No auth needed
Prerequisites: Target running vulnerable ZoneMinder version · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Mailing List x_refsource_misc
http://seclists.org/fulldisclosure/2017/Feb/11
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96849
Issue Tracking x_refsource_confirm
https://github.com/ZoneMinder/ZoneMinder/pull/1697
Mailing List x_refsource_misc
http://seclists.org/bugtraq/2017/Feb/6

Scores

CVSS v3 7.5
EPSS 0.0674
EPSS Percentile 93.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
zoneminder/zoneminder 1.30.0
Published Jan 13, 2017
Tracked Since Feb 18, 2026