## https://sploitus.com/exploit?id=2EE4C360-3E7E-55FE-A604-329DD6661E0B
# CVE-2025-60787 Detection Rules
Detection content for **CVE-2025-60787**, a remote code execution vulnerability in motionEye <= 0.43.1b4 caused by client-side validation bypass leading to shell injection via motion config files.
---
## Vulnerability Summary
| Field | Detail |
|--------------------|--------|
| CVE | CVE-2025-60787 |
| Affected Software | motionEye <= 0.43.1b4 |
| Attack Type | Remote Code Execution (RCE) |
| Attack Vector | Network (Web UI) |
| Authentication | Low (default blank admin password) |
| CVSS Severity | HIGH |
| Exploit Complexity | Low |
| Public PoC | Yes |
### Root Cause
motionEye's web UI validates filename fields (such as `picture_filename`) using a JavaScript function called `configUiValid`. An attacker can override this function in the browser console to bypass all client-side validation. Arbitrary values, including shell subshell syntax such as `$(command)`, can then be saved into the motion daemon config files. When motion re-reads its config or restarts, the shell syntax is interpreted and executed.
### Attack Chain
```
1. Attacker opens motionEye web UI (default port 8765 or 9999)
2. Attacker runs in browser console:
configUiValid = function() { return true; };
3. Attacker pastes payload into Settings โ Still Images โ Image File Name:
$(touch /tmp/test).%Y-%m-%d-%H-%M-%S
4. Attacker clicks Apply / saves the config
5. motionEye writes the unsanitised value into camera-N.conf
6. When motion restarts or reloads config, the shell command executes
```
### Public PoC Reference
- [prabhatverma47/motionEye-RCE-through-config-parameter](https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter)
---
## Repository Structure
```
cve-2025-60787-detection/
โโโ README.md
โโโ MITRE_ATTACK.md
โโโ rules/
โ โโโ yara/
โ โ โโโ motioneye_rce_cve_2025_60787.yar
โ โโโ kql/
โ โโโ 01_web_request_js_bypass_and_shell_payload.kql
โ โโโ 02_process_execution_shell_spawned_by_motion.kql
โ โโโ 03_file_creation_tmp_by_motion_process.kql
โ โโโ 04_docker_exec_and_syslog_motioneye.kql
โ โโโ 05_threat_hunting_motioneye_config_file_changes.kql
โโโ docs/
โโโ iocs.md
```
---
## YARA Rules
**File:** `rules/yara/motioneye_rce_cve_2025_60787.yar`
Three rules are provided.
| Rule Name | Purpose | Confidence |
|-----------|---------|------------|
| `MotionEye_RCE_Config_Injection_CVE_2025_60787` | Shell injection in motion config files | High |
| `MotionEye_RCE_JS_Bypass_CVE_2025_60787` | JS validation bypass string in traffic/logs | High |
| `MotionEye_RCE_PoC_Payload_CVE_2025_60787` | Known PoC payload fragments | Critical |
### Usage
```bash
# Scan a directory of config files
yara -r rules/yara/motioneye_rce_cve_2025_60787.yar /etc/motioneye/
# Scan captured HTTP traffic (PCAP export)
yara -r rules/yara/motioneye_rce_cve_2025_60787.yar /path/to/traffic.bin
# Scan a container filesystem export
docker export motioneye | tar -x -C /tmp/container_fs/
yara -r rules/yara/motioneye_rce_cve_2025_60787.yar /tmp/container_fs/
```
---
## KQL Queries (Microsoft Sentinel / Defender for Endpoint)
| File | Data Source | What It Detects |
|------|-------------|-----------------|
| `01_web_request_js_bypass_and_shell_payload.kql` | CommonSecurityLog, W3CIISLog | JS bypass and shell payloads in HTTP logs |
| `02_process_execution_shell_spawned_by_motion.kql` | DeviceProcessEvents | Shell processes spawned by motion daemon |
| `03_file_creation_tmp_by_motion_process.kql` | DeviceFileEvents | Files dropped in /tmp by motion process |
| `04_docker_exec_and_syslog_motioneye.kql` | Syslog, ContainerLog | Docker exec and suspicious container log entries |
| `05_threat_hunting_motioneye_config_file_changes.kql` | DeviceFileEvents | Proactive hunting on camera config modifications |
### Coverage Notes
- Query 01 requires your WAF, proxy, or IDS to log HTTP POST body content. Without this, JS bypass activity is not visible in standard web logs.
- Queries 02 and 03 are the highest-value detections as they catch post-exploitation behaviour regardless of how the config was injected.
- Query 05 is a hunting query, not an alert. Run it periodically and review flagged config files manually for shell metacharacters.
---
## Indicators of Compromise
See [docs/iocs.md](docs/iocs.md) for the full IOC list.
Key indicators:
- `configUiValid = function() { return true; }` in HTTP request body or browser session logs
- `picture_filename` or `image_file_name` containing `$(`, `` ` ``, `;`, `|`, or `&` in `camera-*.conf`
- Shell processes (sh, bash) with `motion` as the parent process
- Unexpected files created in `/tmp`, `/var/tmp`, or `/dev/shm` by the motion process
---
## Remediation
1. Upgrade motionEye to a version that sanitises filename config values server-side.
2. Restrict access to the motionEye web UI to trusted networks or hosts only. Do not expose port 8765 or 9999 to the internet.
3. Change the default blank admin password immediately after deployment.
4. Monitor `camera-*.conf` files for unexpected modifications.
5. Run the motionEye container with a read-only filesystem where possible and restrict `/tmp` write access.
---
## MITRE ATT&CK Mapping
See [MITRE_ATTACK.md](MITRE_ATTACK.md) for full mapping.
| Tactic | Technique |
|--------|-----------|
| Initial Access | T1190 - Exploit Public-Facing Application |
| Execution | T1059.004 - Command and Scripting Interpreter: Unix Shell |
| Defense Evasion | T1565.001 - Stored Data Manipulation |
| Persistence | T1036 - Masquerading |
---
## References
- [NVD - CVE-2025-60787](https://nvd.nist.gov/vuln/detail/CVE-2025-60787)
- [Public PoC and writeup](https://github.com/prabhatverma47/motionEye-RCE-through-config-parameter)
- [motionEye upstream project](https://github.com/motioneye-project/motioneye)
- [MITRE ATT&CK T1059.004](https://attack.mitre.org/techniques/T1059/004/)
- [MITRE ATT&CK T1190](https://attack.mitre.org/techniques/T1190/)
---
## License
Detection rules in this repository are released under the MIT License. See [LICENSE](LICENSE) for details.