CVE-2026-25643 is a critical OS command injection vulnerability affecting the Frigate network video recorder (NVR) software, specifically in versions prior to 0.16.4. Frigate integrates with the go2rtc service to handle IP camera video streams. The vulnerability stems from improper neutralization of special elements in user-supplied input within the video stream configuration file (config.yaml). Specifically, the exec: directive allows injection of arbitrary system commands because the go2rtc service executes these commands without adequate input validation or sanitization. This flaw is categorized under CWE-78 (OS Command Injection), CWE-250 (Execution with Unnecessary Privileges), CWE-269 (Improper Privilege Management), and CWE-668 (Exposure of Resource to Wrong Sphere). Exploitation requires either administrative access or an unsecured Frigate installation exposed to the internet without authentication, which would allow any remote attacker to gain full control over the underlying system. The vulnerability has a CVSS v3.1 base score of 9.1, indicating critical severity with network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change affecting confidentiality, integrity, and availability. Although no public exploits are currently reported, the potential for full system compromise makes this a high-risk issue. The vendor fixed the vulnerability in Frigate version 0.16.4 by properly sanitizing inputs and restricting command execution capabilities. Organizations relying on Frigate for IP camera management should upgrade immediately and audit their exposure and access controls to mitigate risk.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of video surveillance systems and potentially the broader network infrastructure. Successful exploitation could allow attackers to execute arbitrary commands with elevated privileges, leading to full system compromise, data exfiltration, manipulation or deletion of video recordings, and disruption of surveillance operations. This is particularly critical for sectors relying heavily on video surveillance for security, such as critical infrastructure, transportation, public safety, and corporate environments. Exposure of Frigate instances to the internet without proper authentication greatly increases attack surface. Given the critical nature of the vulnerability and the widespread use of IP camera systems in Europe, unpatched deployments could be targeted for espionage, sabotage, or ransomware attacks. The impact extends beyond the device itself, as compromised systems could serve as pivot points for lateral movement within organizational networks.

1. Immediately upgrade all Frigate installations to version 0.16.4 or later to apply the official patch that fixes the command injection flaw. 2. Restrict network exposure of Frigate instances; avoid direct internet exposure and place devices behind firewalls or VPNs with strict access controls. 3. Enforce strong authentication mechanisms for administrative access to Frigate to prevent unauthorized configuration changes. 4. Regularly audit configuration files (config.yaml) for unauthorized or suspicious entries, especially those involving the exec: directive. 5. Implement network segmentation to isolate surveillance systems from critical IT infrastructure, limiting potential lateral movement. 6. Monitor logs and system behavior for signs of exploitation attempts or unusual command executions. 7. Educate administrators on secure configuration practices and the risks of exposing management interfaces publicly. 8. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous command execution patterns related to Frigate or go2rtc services.