CVE-2025-5127

Summary

A vulnerability was determined in Teledyne FLIR AX8 up to 1.46.16. This issue affects some unknown processing of the file /prod.php. Executing manipulation of the argument cmd can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.49.16 is capable of addressing this issue. It is recommended to upgrade the affected component. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

Affected Software

VendorProductVersion RangeStatus
Teledyne FLIRAX81.46.0affected
Teledyne FLIRAX81.46.1affected
Teledyne FLIRAX81.46.2affected
Teledyne FLIRAX81.46.3affected
Teledyne FLIRAX81.46.4affected
Teledyne FLIRAX81.46.5affected
Teledyne FLIRAX81.46.6affected
Teledyne FLIRAX81.46.7affected
Teledyne FLIRAX81.46.8affected
Teledyne FLIRAX81.46.9affected
Teledyne FLIRAX81.46.10affected
Teledyne FLIRAX81.46.11affected
Teledyne FLIRAX81.46.12affected
Teledyne FLIRAX81.46.13affected
Teledyne FLIRAX81.46.14affected
Teledyne FLIRAX81.46.15affected
Teledyne FLIRAX81.46.16affected
Teledyne FLIRAX81.49.16unaffected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References