📄 Description (English)
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.
🤖 AI Executive Summary
ZoneMinder versions 1.36.37 and below, and 1.37.61 through 1.38.0 contain a second-order SQL injection vulnerability in the getNearEvents() function that allows authenticated users with event management permissions to execute arbitrary SQL queries. The vulnerability exploits unsafe concatenation of previously stored event data (Name and Cause fields) into SQL WHERE clauses. With CVSS 8.8 and active exploits available, this poses significant risk to surveillance infrastructure across Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 22:56
🇸🇦 Saudi Arabia Impact Assessment
Critical impact on Saudi government surveillance systems, particularly those used by Ministry of Interior, General Directorate of Investigations, and border security operations. High risk for banking sector CCTV systems (SAMA-regulated institutions), healthcare facilities under MOH, and critical infrastructure monitoring (ARAMCO, SEC, water/electricity utilities). Telecom operators (STC, Mobily, Zain) using ZoneMinder for facility monitoring face data exfiltration and system compromise risks. Attackers with event management credentials could extract sensitive surveillance data, modify audit logs, or pivot to backend systems.
🏢 Affected Saudi Sectors
Government & Law Enforcement
Banking & Financial Services
Healthcare
Energy & Utilities
Telecommunications
Transportation & Border Security
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1110 - Brute Force (credential-based access required)
T1557 - Man-in-the-Middle (if unencrypted connections)
T1005 - Data from Local System (exfiltration via SQL injection)
T1078 - Valid Accounts (leveraging event management permissions)
T1021 - Remote Services (lateral movement via database access)
T1070 - Indicator Removal (log tampering via SQL injection)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all ZoneMinder installations: scan network for port 8080/8443 and check /web/index.php version strings
2. Restrict access to ZoneMinder web interface to trusted networks only via firewall rules
3. Audit user accounts with 'Events edit' and 'Events view' permissions; disable unnecessary accounts
4. Review access logs in /var/log/zoneminder/ for suspicious SQL patterns or unusual event modifications
PATCHING GUIDANCE:
1. Upgrade immediately to version 1.36.38 or 1.38.1+ (patches available)
2. For systems unable to patch immediately, apply input validation: disable event name/cause editing until patched
3. Implement database user privilege separation: ZoneMinder DB user should have SELECT-only on events table
COMPENSATING CONTROLS:
1. Deploy WAF rules to block SQL keywords in HTTP POST parameters to /web/ajax/status.php
2. Enable database query logging and alert on UNION/SELECT/DROP keywords in event-related queries
3. Implement database activity monitoring (DAM) to detect anomalous SQL execution
4. Restrict ZoneMinder database credentials to read-only for non-administrative operations
DETECTION RULES:
1. Monitor for POST requests to /web/ajax/status.php with parameters containing: UNION, SELECT, DROP, INSERT, UPDATE, OR 1=1
2. Alert on database connections from ZoneMinder user executing queries outside normal event retrieval patterns
3. Track modifications to event Name/Cause fields followed by unusual database activity within 5 minutes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات ZoneMinder: مسح الشبكة للمنفذ 8080/8443 والتحقق من سلاسل الإصدار في /web/index.php
2. تقييد الوصول إلى واجهة ZoneMinder على الشبكات الموثوقة فقط عبر قواعد جدار الحماية
3. تدقيق حسابات المستخدمين بأذونات 'تحرير الأحداث' و'عرض الأحداث'؛ تعطيل الحسابات غير الضرورية
4. مراجعة سجلات الوصول في /var/log/zoneminder/ للأنماط المريبة أو تعديلات الأحداث غير المعتادة
إرشادات التصحيح:
1. الترقية فوراً إلى الإصدار 1.36.38 أو 1.38.1+ (التصحيحات متاحة)
2. للأنظمة غير القادرة على التصحيح فوراً، تطبيق التحقق من الإدخال: تعطيل تحرير اسم/سبب الحدث حتى يتم التصحيح
3. تنفيذ فصل امتيازات مستخدم قاعدة البيانات: يجب أن يكون لمستخدم ZoneMinder DB إذن SELECT فقط على جدول الأحداث
الضوابط التعويضية:
1. نشر قواعد WAF لحظر كلمات SQL الرئيسية في معاملات HTTP POST إلى /web/ajax/status.php
2. تفعيل تسجيل استعلامات قاعدة البيانات والتنبيه على كلمات UNION/SELECT/DROP في الاستعلامات المتعلقة بالأحداث
3. تنفيذ مراقبة نشاط قاعدة البيانات (DAM) للكشف عن تنفيذ SQL غير طبيعي
4. تقييد بيانات اعتماد قاعدة بيانات ZoneMinder للعمليات القراءة فقط للعمليات غير الإدارية
قواعد الكشف:
1. مراقبة طلبات POST إلى /web/ajax/status.php مع معاملات تحتوي على: UNION، SELECT، DROP، INSERT، UPDATE، أو 1=1
2. التنبيه على اتصالات قاعدة البيانات من مستخدم ZoneMinder الذي ينفذ استعلامات خارج أنماط استرجاع الأحداث العادية
3. تتبع التعديلات على حقول اسم/سبب الحدث متبوعة بنشاط قاعدة بيانات غير عادي خلال 5 دقائق
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control: Restrict ZoneMinder access to authorized personnel only
5.2.1 - Data Protection: Implement encryption for ZoneMinder database connections
5.3.1 - Vulnerability Management: Patch ZoneMinder to latest version immediately
5.4.1 - Incident Response: Monitor and log all ZoneMinder database activities
🔵 SAMA CSF
ID.AM-2: Software inventory and version tracking of ZoneMinder deployments
PR.AC-1: Access control policies for event management permissions
PR.DS-1: Data security through parameterized queries and input validation
DE.CM-1: Continuous monitoring of ZoneMinder web interface and database queries
RS.MI-1: Incident mitigation procedures for SQL injection exploitation
🟡 ISO 27001:2022
A.5.1.1 - Information security policies for application security
A.8.1.1 - User access management and privilege separation
A.8.2.1 - User access provisioning and removal procedures
A.12.2.1 - Change management for security patches
A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration to restrict ZoneMinder access
Requirement 2.2.4 - Configure system security parameters and remove unnecessary services
Requirement 6.2 - Ensure security patches are installed within defined timeframe
Requirement 6.5.1 - Injection flaws prevention through parameterized queries
Requirement 10.2.1 - Implement user access logging and monitoring
🔗 References & Sources 4
🔗
https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.38
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/ZoneMinder/zoneminder/releases/tag/1.38.1
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-r6gm-478g-f2c4
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://owasp.org/www-community/attacks/SQL_Injection
security-advisories@github.com
Not Applicable
📦 Affected Products / CPE 2 entries
zoneminder:zoneminder
zoneminder:zoneminder