CVE-2016-10204 Zoneminder CVE debrief

Who should care

Zoneminder administrators, security teams, and operators of any deployment running version 1.30.0 or earlier, especially systems exposed to untrusted networks.

Technical summary

NVD classifies the weakness as CWE-89 (SQL Injection) and rates it CVSS 3.0 9.8/CRITICAL with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerable surface is a log query request handled by index.php, where the limit parameter can be abused to inject SQL. The affected version range in the NVD CPE data is Zoneminder up to and including 1.30.0.

Defensive priority

Urgent. This is network-reachable, requires no privileges or user interaction, and is scored as critical with high impact across confidentiality, integrity, and availability.

Recommended defensive actions

• Inventory Zoneminder deployments and confirm whether any instance is running 1.30.0 or earlier.
• Upgrade to a patched or supported Zoneminder release newer than 1.30.0.
• Restrict access to the Zoneminder web interface to trusted networks until remediation is complete.
• Review application and database logs for unexpected SQL activity associated with index.php log query requests.
• If exposure is confirmed, validate database integrity and rotate credentials used by the application as part of incident response.

Evidence notes

The source corpus includes the NVD CVE record, which lists the vulnerability status as Modified, the affected CPE range through 1.30.0, CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and CWE-89. References in the corpus include an oss-security mailing list post and a Foxmole advisory; both are tagged as exploit-related references, but this debrief does not rely on them for attack details.

Official resources