CVE-2018-25140

Summary

FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication.

Affected Software

VendorProductVersion RangeStatus
FLIR Systems, Inc.Thermal Traffic CamerasV1.01-0bb5b27affected
FLIR Systems, Inc.Thermal Traffic CamerasE1.00.09affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.02.P01affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.05.P01affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.04.P02affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.04affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.01.P02affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.05.P03affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.06affected
FLIR Systems, Inc.Thermal Traffic CamerasV1.02.P02affected

Weaknesses

  • CWE-306: Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

References