CVE-2022-29806

CRITICAL

ZoneMinder < 1.36.13 - Remote Code Execution via Invalid Language Setting

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-29806. PoCs published by Sigm0n, krastanoel, including Metasploit module exploits/unix/webapp/zoneminder_lang_exec.

AI-analyzed exploit summary This is a functional exploit for CVE-2022-29806, targeting a path traversal vulnerability in ZoneMinder up to 1.36.12. It achieves RCE by manipulating debug log file paths and default language options to write and execute arbitrary PHP code.

Description

ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.

Exploits (2)

nomisec WORKING POC 3 stars

by Sigm0n · poc

https://github.com/Sigm0n/CVE-2022-29806

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-29806, targeting a path traversal vulnerability in ZoneMinder up to 1.36.12. It achieves RCE by manipulating debug log file paths and default language options to write and execute arbitrary PHP code.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder up to 1.36.12

No auth needed

Prerequisites: Target URL · Attacker IP · Port for reverse shell

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by krastanoel · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/zoneminder_lang_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a chained vulnerability in ZoneMinder (CVE-2022-29806) involving arbitrary file write via debug log manipulation and path traversal in language settings to achieve remote code execution. It authenticates, leaks the installation path, writes a PHP payload to a traversed path, and triggers execution by modifying language settings.