A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60787

CVE-2025-60787: MotionEye RCE Vulnerability via Command Injection

CVE-2025-60787 is a remote code execution vulnerability in MotionEye affecting v0.43.1b4 and earlier. Authenticated admins can exploit unsanitized configuration parameters to inject OS commands. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: June 2, 2026

CVE-2025-60787 Overview

CVE-2025-60787 is an OS Command Injection vulnerability affecting MotionEye versions 0.43.1b4 and earlier. The flaw resides in configuration parameters such as image_file_name, where unsanitized user input is written directly into Motion configuration files. Authenticated attackers with administrative access can inject arbitrary operating system commands that execute when the Motion process restarts. The issue is categorized under [CWE-20: Improper Input Validation]. MotionEye is a web-based frontend for the Motion video surveillance daemon, commonly deployed on Linux hosts and Raspberry Pi devices for home and small-business camera monitoring.

Critical Impact

Remote authenticated attackers with admin privileges can achieve arbitrary code execution on the host running MotionEye, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

  • MotionEye 0.42.1
  • MotionEye 0.43.1 beta1 through beta4
  • All MotionEye releases prior to and including 0.43.1b4

Discovery Timeline

  • 2025-10-03 - CVE-2025-60787 published to the National Vulnerability Database
  • 2025-10-10 - Last updated in NVD database

Technical Details for CVE-2025-60787

Vulnerability Analysis

MotionEye exposes a web administration interface that allows operators to configure Motion daemon parameters. Configuration values entered through the admin UI are persisted to Motion configuration files on disk. The application fails to sanitize input written to fields such as image_file_name before storing them in these configuration files.

When the Motion daemon is restarted, it parses these configuration files and interprets attacker-controlled values as part of command strings. This results in arbitrary OS command execution under the privileges of the Motion process. Because MotionEye is commonly run as root or a privileged service account on appliance-style deployments, successful exploitation often yields complete host control.

The vulnerability requires authenticated administrative access. However, MotionEye deployments frequently use default or weak credentials, and the interface is often exposed beyond trusted networks. The presence of an Exploit-DB entry and a public GitHub proof-of-concept further increases the practical exploitation risk.

Root Cause

The root cause is improper input validation [CWE-20]. MotionEye writes configuration parameter values directly into Motion configuration files without escaping shell metacharacters or restricting character sets. Fields like image_file_name are later evaluated in contexts that permit command interpretation, breaking the trust boundary between configuration data and executable content.

Attack Vector

An attacker authenticates to the MotionEye web interface as an administrator. The attacker submits a crafted value containing shell metacharacters or command substitution sequences into a vulnerable configuration field such as image_file_name. MotionEye saves the payload to the Motion configuration file. When Motion is restarted, either by the attacker triggering a configuration reload or by routine service restart, the injected commands execute on the host.

For technical exploitation details, see the GitHub RCE PoC Repository.

Detection Methods for CVE-2025-60787

Indicators of Compromise

  • Unexpected shell metacharacters such as ;, |, `, or $( appearing in Motion configuration files including motion.conf and per-camera thread-*.conf files.
  • Anomalous child processes spawned by the motion or motioneye parent process, particularly shells such as /bin/sh, bash, nc, curl, or wget.
  • Unexpected outbound network connections originating from the host running MotionEye.
  • New cron jobs, SSH authorized keys, or systemd units created shortly after MotionEye configuration changes.

Detection Strategies

  • Monitor process trees for the motion binary spawning interactive shells or networking utilities.
  • Audit MotionEye configuration files for non-printable characters or shell syntax in parameters that should contain filenames or paths.
  • Review MotionEye admin interface authentication logs for unexpected logins or session activity from unfamiliar IP addresses.

Monitoring Recommendations

  • Enable file integrity monitoring on the MotionEye configuration directory, typically /etc/motioneye/ and /etc/motion/.
  • Forward MotionEye and Motion service logs to a centralized SIEM and alert on service restarts correlated with configuration writes.
  • Track network egress from camera and IoT subnets where MotionEye is deployed and flag connections to non-baseline destinations.

How to Mitigate CVE-2025-60787

Immediate Actions Required

  • Restrict access to the MotionEye administrative interface to trusted management networks using firewall rules or a reverse proxy with IP allowlisting.
  • Rotate all MotionEye administrator credentials and verify no default passwords remain in use.
  • Audit existing Motion configuration files for injected payloads and revert any suspicious values to known-good defaults.
  • Reduce the privileges of the Motion and MotionEye service accounts so they do not run as root where feasible.

Patch Information

No official vendor patch URL is listed in the CVE record at the time of publication. Administrators should monitor the MotionEye Project Homepage and the project's GitHub releases for a fixed version superseding 0.43.1b4. Until a patched release is available, apply the workarounds below.

Workarounds

  • Disable remote administrative access and require VPN connectivity to reach the MotionEye web interface.
  • Enforce strong, unique credentials for all MotionEye administrator accounts and enable any available access logging.
  • Run MotionEye and Motion inside a container or with a dedicated unprivileged service user to limit the blast radius of command execution.
  • Manually review and lock down configuration file permissions so that only the service account can modify them.
bash
# Example: restrict MotionEye admin interface to a management subnet using iptables
iptables -A INPUT -p tcp --dport 8765 -s 10.0.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8765 -j DROP

# Example: run MotionEye under a dedicated non-root user
useradd -r -s /usr/sbin/nologin motioneye
chown -R motioneye:motioneye /etc/motioneye /var/lib/motioneye

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechMotioneye
  • SeverityHIGH
  • CVSS Score7.2
  • EPSS Probability57.92%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-20
  • Technical References
  • MotionEye Project Homepage
  • GitHub RCE PoC Repository
  • Latest CVEs
  • CVE-2024-8261: Prolizyazilim OBS Auth Bypass Vulnerability
  • CVE-2024-13068: LimonDesk Auth Bypass Vulnerability
  • CVE-2025-53679: Fortinet FortiSandbox RCE Vulnerability
  • CVE-2026-9446: Simple POS Inventory System SQLi Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English