CVE-2025-5695

Summary

A vulnerability has been found in Teledyne FLIR AX8 up to 1.46.16. This impacts the function subscribe_to_spot/subscribe_to_delta/subscribe_to_alarm of the file /usr/www/application/models/subscriptions.php of the component Backend. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.49.16 will fix this issue. It is suggested to upgrade the affected component. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

Affected Software

VendorProductVersion RangeStatus
Teledyne FLIRAX81.46.0affected
Teledyne FLIRAX81.46.1affected
Teledyne FLIRAX81.46.2affected
Teledyne FLIRAX81.46.3affected
Teledyne FLIRAX81.46.4affected
Teledyne FLIRAX81.46.5affected
Teledyne FLIRAX81.46.6affected
Teledyne FLIRAX81.46.7affected
Teledyne FLIRAX81.46.8affected
Teledyne FLIRAX81.46.9affected
Teledyne FLIRAX81.46.10affected
Teledyne FLIRAX81.46.11affected
Teledyne FLIRAX81.46.12affected
Teledyne FLIRAX81.46.13affected
Teledyne FLIRAX81.46.14affected
Teledyne FLIRAX81.46.15affected
Teledyne FLIRAX81.46.16affected
Teledyne FLIRAX81.49.16unaffected

Weaknesses

  • CWE-77: Command Injection
  • CWE-74: Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References