PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5368 Zoneminder CVE debrief

CVE-2017-5368 is a CSRF issue in ZoneMinder v1.29 and v1.30 that can let an attacker induce a logged-in victim’s browser to submit unauthorized state-changing requests. According to the CVE record, this can be used to make changes to the web application as the victim and, in the described scenario, create a new admin user for persistence and follow-on access. The issue is rated high severity because it combines network reachability, no attacker authentication, and high confidentiality/integrity/availability impact when a victim is tricked into visiting a malicious page.

Vendor
Zoneminder
Product
CVE-2017-5368
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-06
Original CVE updated
2026-05-13
Advisory published
2017-02-06
Advisory updated
2026-05-13

Who should care

Organizations running ZoneMinder 1.29 or 1.30, especially deployments where administrative users access the web console from browsers that may also visit untrusted content. Security teams should also care if ZoneMinder is exposed beyond tightly controlled internal networks.

Technical summary

NVD classifies the weakness as CWE-352 (Cross-Site Request Forgery). The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting a network-reachable issue that requires user interaction but no prior attacker privileges. The vulnerable behavior centers on the authenticated web interface at /zm/index.php, where a forged request can cause privileged actions in the context of the victim’s session. NVD’s referenced material ties the issue to third-party advisories from February 2017.

Defensive priority

High. The combination of remote reach, low complexity, and the potential to create administrative users makes this a priority issue for environments using affected ZoneMinder versions.

Recommended defensive actions

  • Verify whether any ZoneMinder systems are running versions 1.29 or 1.30 and treat them as affected.
  • Apply the vendor’s remediation or upgrade to a fixed release if available in your maintenance path.
  • Confirm that all state-changing actions in the web UI require anti-CSRF protections.
  • Review administrative workflows for additional session protections such as re-authentication before privileged changes.
  • Restrict access to the ZoneMinder web console to trusted users and trusted networks where possible.
  • Audit existing admin accounts and recent changes for unexpected account creation or privilege changes.
  • Check web and application logs for suspicious requests to the ZoneMinder interface originating from authenticated sessions.

Evidence notes

The vulnerability details, affected versions, CVSS vector, and CWE mapping come from the NVD record for CVE-2017-5368. The CVE references list contemporaneous advisories from Bugtraq and Full Disclosure in February 2017, supporting the CSRF and admin-user-creation description. No exploit steps are provided here beyond the defensive characterization of the affected web action.

Official resources

CVE published and initially recorded on 2017-02-06. The NVD entry was last modified on 2026-05-13. The referenced third-party advisories are dated February 2017.