CVE-2023-26035

Exploitation Summary

EIP tracks 7 public exploits for CVE-2023-26035. PoCs published by rvzsec, rvizx, heapbytes, including Metasploit module exploits/unix/webapp/zoneminder_snapshots. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-26035, an unauthenticated RCE vulnerability in ZoneMinder. The exploit fetches a CSRF token and injects a command into the 'monitor_ids[0][Id]' parameter to achieve remote code execution.

Description

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

Exploits (7)

nomisec WORKING POC 24 stars

by rvzsec · poc

https://github.com/rvzsec/CVE-2023-26035

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-26035, an unauthenticated RCE vulnerability in ZoneMinder. The exploit fetches a CSRF token and injects a command into the 'monitor_ids[0][Id]' parameter to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder versions prior to 1.36.33 and 1.37.33

No auth needed

Prerequisites: Target URL · Attacker IP · Port for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 01, 2026 Full analysis →

nomisec WORKING POC 20 stars

by rvizx · poc

https://github.com/rvizx/CVE-2023-26035

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-26035, an unauthenticated RCE vulnerability in ZoneMinder. The exploit fetches a CSRF token and injects a reverse shell payload via the snapshot action, demonstrating the vulnerability effectively.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder versions prior to 1.36.33 and 1.37.33

No auth needed

Prerequisites: Target URL · Attacker IP · Port for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 7 stars

by heapbytes · poc

https://github.com/heapbytes/CVE-2023-26035

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-26035, a Remote Code Execution (RCE) vulnerability in ZoneMinder versions prior to 1.36.33 and 1.37.33. The exploit leverages CSRF token extraction and command injection via the 'monitor_ids[0][Id]' parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder (Versions prior to 1.36.33 and 1.37.33)

No auth needed

Prerequisites: Network access to the target ZoneMinder instance · Python environment with 'requests' and 'lxml' libraries

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by Yuma-Tsushima07 · poc

https://github.com/Yuma-Tsushima07/CVE-2023-26035

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-26035, an unauthenticated remote code execution vulnerability in ZoneMinder. The exploit fetches a CSRF token and injects a command into the 'monitor_ids[0][Id]' parameter during snapshot creation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder (version not specified)

No auth needed

Prerequisites: Target URI with ZoneMinder installation · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 0xfalafel · poc

https://github.com/0xfalafel/zoneminder_CVE-2023-26035

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-26035, an unauthenticated remote code execution (RCE) vulnerability in ZoneMinder. The exploit leverages a command injection flaw in the snapshot creation functionality, allowing arbitrary command execution via crafted HTTP requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder < 1.36.33 and < 1.37.33

No auth needed

Prerequisites: Network access to the target ZoneMinder instance · Python 3 with requests and BeautifulSoup libraries

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by m3m0o · poc

https://github.com/m3m0o/zoneminder-snapshots-rce-poc

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-26035, an unauthenticated RCE vulnerability in ZoneMinder versions prior to 1.36.33 and 1.37.33. The exploit leverages command injection in the snapshot creation functionality to execute a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder < 1.36.33 and < 1.37.33

No auth needed

Prerequisites: Target URL with ZoneMinder root path · Attacker-controlled IP and port for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by UnblvR, whotwagner · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/zoneminder_snapshots.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in ZoneMinder by appending commands to the 'create monitor ids[]' action in the snapshot view. It supports both direct command execution and staged payload delivery.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZoneMinder < 1.36.33, < 1.37.33

No auth needed

Prerequisites: Network access to the ZoneMinder web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ZoneMinder Snapshots - Command Injection

CRITICALVERIFIEDby Unblvr1,whotwagner

Shodan: html:"ZM - Login" || http.html:"zm - login"

FOFA: body="zm - login"

References (2)

Core 2

Core References

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.html

Patch, Vendor Advisory x_refsource_confirm

https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr

ZoneMinder < 1.36.33 - Unauthenticated Remote Code Execution via Snapshot Action

Exploitation Summary

Description

Exploits (7)

Nuclei Templates (1)

References (2)

Scores

Details