PatchSiren cyber security CVE debrief

CVE-2016-10140 Zoneminder CVE debrief

CVE-2016-10140 is an information disclosure and authentication bypass issue tied to the Apache HTTP Server configuration bundled with ZoneMinder. NVD and the CVE references describe a remote unauthenticated attacker being able to browse directories in the web root, potentially exposing CCTV images through the /events URI.

Vendor: Zoneminder
Product: CVE-2016-10140
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-13
Original CVE updated: 2026-05-13
Advisory published: 2017-01-13
Advisory updated: 2026-05-13

Who should care

ZoneMinder administrators running affected deployments, especially those exposing the web interface to untrusted networks. Security teams that rely on Apache configuration to protect web-root content and camera archives should verify that anonymous directory browsing is not possible.

Technical summary

The supplied records describe a misconfiguration in the Apache HTTP Server setup bundled with ZoneMinder v1.29 and v1.30. A remote unauthenticated attacker can browse directories under the web root, creating an information disclosure path and bypassing intended access controls. The NVD entry classifies the issue as CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-200. The description specifically notes exposure of CCTV images via the /events URI.

Defensive priority

High. The issue is network-reachable, requires no authentication, and can expose sensitive camera footage and directory contents.

Recommended defensive actions

Confirm your deployed ZoneMinder release includes the upstream fix referenced by the linked ZoneMinder commit/pull request, or backport the fix if you maintain a downstream package.
Review Apache and ZoneMinder access controls for /events and other web-root paths; ensure anonymous users cannot list directories or read archived media.
Disable directory browsing where it is not explicitly required and verify authentication rules are enforced before any sensitive content is served.
Restrict exposure of the ZoneMinder web interface to trusted networks or VPN-only access until remediation is complete.
After remediation, validate from an unauthenticated client that the web root and /events no longer reveal directory listings or CCTV images.

Evidence notes

The evidence comes from the NVD CVE record and its linked references. The CVE description states that the Apache configuration bundled with ZoneMinder v1.29 and v1.30 allows remote unauthenticated browsing of web-root directories and viewing CCTV images via /events. NVD assigns CWE-200 and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Linked references include Bugtraq, Full Disclosure, SecurityFocus BID 96849, and the upstream ZoneMinder commit and pull request.

Official resources

CVE-2016-10140 CVE record
CVE.org
CVE-2016-10140 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking

Public CVE record published 2017-01-13 and later modified 2026-05-13; this debrief relies only on the supplied official records and linked references.