A critical command injection vulnerability in ZoneMinder v1.36.34 allows unauthenticated remote attackers to execute arbitrary system commands on the hosting server.

The application fails to sanitize user input before passing it to the PHP exec() function in web/views/image.php. An unauthenticated remote attacker can exploit this to execute arbitrary OS commands via specially crafted HTTP requests.

This vulnerability allows for complete server takeover. Attackers can access camera feeds, delete surveillance data, or use the server as a proxy for further attacks. The CVSS score of 9.8 reflects the critical impact on both data privacy and system integrity.

Immediate Action: Update ZoneMinder to the latest version (v1.36.35 or higher) where this input validation issue has been resolved.

Proactive Monitoring: Inspect web server logs for suspicious activity targeting image.php, specifically looking for shell metacharacters in the query parameters.

Compensating Controls: Implement a Web Application Firewall (WAF) to filter out common command injection payloads and restrict access to the ZoneMinder web interface to authorized users only.

Public Exploit Available: No

Given the potential for unauthenticated remote code execution, this vulnerability should be treated with the highest priority. Immediate patching is the only effective way to protect the integrity of the surveillance system and the underlying server.