FLIR AX8
Moderate fix1 remedy
cpe:2.3:h:flir:flir_ax8:*:*:*:*:*:*:*, +1 more
Moderate fix1 remedy
- <= 1.46.16
FLIR AX8 Command Injection Vulnerability in Backend Subscription Management
Vulnerability
Patched
A critical command injection vulnerability has been identified in the FLIR AX8 camera, affecting versions through 1.46.16. The issue resides in the backend component, specifically within the file '/usr/www/application/models/subscriptions.php'. The vulnerability arises in the 'subscribe_to_spot', 'subscribe_to_delta', and 'subscribe_to_alarm' functions, where the application improperly sanitizes user input, allowing remote attackers to execute arbitrary commands on the server.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the affected device.
Reproduction
The vulnerability can be reproduced by sending a request to the 'subscribe_to_spot', 'subscribe_to_delta', or 'subscribe_to_alarm' functions in the 'subscriptions.php' model. This can be done after authenticating successfully on the device.
Remediation
Users are advised to upgrade to FLIR AX8 version 1.55.16, available for download from the FLIR Customer Support website.
Added: Jun 5, 2025, 9:49 PM
Updated: Jun 5, 2025, 11:44 PM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
10.0exploitability
6.2remediation
7.7relevance
0.2threat
6.5urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.