ZoneMinder SQL Injection Exposes Data (CVE-2026-27470) [PoC]

Overview

A significant security vulnerability has been identified in ZoneMinder, a popular open-source CCTV software. This flaw allows authenticated users with specific permissions to execute malicious commands on the application’s database, potentially leading to data theft, manipulation, or system compromise.

Vulnerability Details

In simple terms, this is a “second-order” SQL injection vulnerability. While ZoneMinder initially stores certain user-provided data (like Event Names and Causes) safely, it fails to properly handle this data when retrieving it later. The software takes this stored information and inserts it directly into new database queries without the necessary security checks. This creates a loophole where a malicious actor can embed hidden database commands within seemingly normal data. When this data is later used, the hidden commands are executed.

Affected Versions:

• Version 1.36.37 and all prior versions.
• Versions 1.37.61 through 1.38.0.

Potential Impact

An authenticated user with “Events edit” and “Events view” permissions can exploit this flaw to run arbitrary SQL queries on the ZoneMinder database. Successful exploitation could result in:

• Data Breach: Extraction of sensitive information, including video metadata, user credentials, and system configuration.
• Data Manipulation: Alteration, deletion, or corruption of surveillance event logs and system data.
• System Compromise: In some database configurations, this could be leveraged to execute commands on the underlying server, leading to a full system takeover.

The vulnerability is rated as HIGH severity with a CVSS score of 8.8.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Solution - Upgrade: The issue has been addressed in the latest releases. All users must upgrade to a patched version immediately.

• Upgrade to ZoneMinder version 1.36.38 if you are on the 1.36.x branch.
• Upgrade to ZoneMinder version 1.38.1 if you are on the 1.37.x or 1.38.x branch.

Temporary Mitigation (If Immediate Upgrade is Not Possible):

1. Review User Permissions: Immediately audit and restrict user accounts. Ensure the “Events edit” and “Events view” permissions are granted only to strictly necessary, trusted personnel. Apply the principle of least privilege.
2. Network Segmentation: Ensure the ZoneMinder server and its database are placed on a isolated, secured network segment, not directly accessible from the internet.
3. Monitor Logs: Closely monitor ZoneMinder application logs and database query logs for any unusual or suspicious activity.

After applying patches, it is recommended to review database contents for any signs of unauthorized manipulation added during the period of exposure.