PatchSiren cyber security CVE debrief

CVE-2017-5595 Zoneminder CVE debrief

CVE-2017-5595 is an authenticated local file disclosure issue in ZoneMinder 1.x through v1.30.0. NVD describes it as unfiltered user input being passed to readfile() in web/views/file.php, enabling a low-privileged authenticated attacker to read files from the server’s filesystem via path traversal in the path parameter. The published CVSS v3.0 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, reflecting a confidentiality-focused issue rather than an integrity or availability impact.

Vendor: Zoneminder
Product: CVE-2017-5595
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-06
Original CVE updated: 2026-05-13
Advisory published: 2017-02-06
Advisory updated: 2026-05-13

Who should care

ZoneMinder administrators, defenders responsible for shared or multi-user ZoneMinder deployments, and teams with authenticated but low-privilege users who can access the web interface. Systems where the web server account can read sensitive local files are the primary concern.

Technical summary

NVD lists the weakness as CWE-200 and scopes it to ZoneMinder versions up to and including 1.30.0. The issue is in web/views/file.php, where user-controlled input is used in a file read operation without adequate filtering. According to the CVE description, an authenticated attacker can supply dot-dot path traversal sequences in zm/index.php?view=file&path= requests to read local system files in the context of the web server user.

Defensive priority

Medium. The issue requires authentication and local access, but it can expose sensitive files from the server filesystem. Prioritize it if ZoneMinder authentication is available to multiple users, if the server stores secrets or credentials on disk, or if the application runs with broad filesystem read access.

Recommended defensive actions

Apply the vendor fix referenced in the ZoneMinder GitHub commit linked in the CVE record.
Restrict access to ZoneMinder authentication and administrative roles to trusted users only.
Review whether the web server account has unnecessary read access to sensitive local files and reduce filesystem exposure where possible.
Monitor for unusual requests to zm/index.php?view=file&path= and path traversal patterns in application logs.
Inventory systems running ZoneMinder 1.x through v1.30.0 and confirm they are updated or otherwise remediated.

Evidence notes

The CVE record and NVD detail identify the affected product as ZoneMinder 1.x through v1.30.0, with a CVSS v3.0 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N and weakness CWE-200. The referenced ZoneMinder GitHub commit is tagged as a vendor advisory/patch. MITRE-listed references include Bugtraq, Full Disclosure, and SecurityFocus entries from February 2017, consistent with the CVE’s public disclosure timeframe.

Official resources

CVE-2017-5595 CVE record
CVE.org
CVE-2017-5595 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

The CVE was published on 2017-02-06, and the supporting advisories and vendor patch reference are from February 2017. This debrief uses the CVE publication date as the disclosure anchor.