CVE-2025-5126

Summary

A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 1.49.16 is able to resolve this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

Affected Software

VendorProductVersion RangeStatus
Teledyne FLIRAX81.46.0affected
Teledyne FLIRAX81.46.1affected
Teledyne FLIRAX81.46.2affected
Teledyne FLIRAX81.46.3affected
Teledyne FLIRAX81.46.4affected
Teledyne FLIRAX81.46.5affected
Teledyne FLIRAX81.46.6affected
Teledyne FLIRAX81.46.7affected
Teledyne FLIRAX81.46.8affected
Teledyne FLIRAX81.46.9affected
Teledyne FLIRAX81.46.10affected
Teledyne FLIRAX81.46.11affected
Teledyne FLIRAX81.46.12affected
Teledyne FLIRAX81.46.13affected
Teledyne FLIRAX81.46.14affected
Teledyne FLIRAX81.46.15affected
Teledyne FLIRAX81.46.16affected
Teledyne FLIRAX81.49.16unaffected

Weaknesses

  • CWE-77: Command Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References