CVE-2025-7578
BaseFortify
Publication date: 2025-07-14
Last updated on: 2025-07-15
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| teledyne | flir_fb-series_o | 1.3.2.16 |
| teledyne | flir_fh-series_id | 1.3.2.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7578 is a critical command injection vulnerability in Teledyne FLIR FB-Series O and FLIR FH-Series ID firmware version 1.3.2.16. It exists in the sendCommand function of the runcmd.sh script, where manipulation of the cmd argument allows an attacker to inject arbitrary system commands remotely. This function uses a hardcoded backdoor password for authorization. Although currently disabled due to server CGI configuration errors, this latent vulnerability could be activated if the server configuration changes, making it a 'time bomb'. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to execute arbitrary system commands remotely on the affected device, potentially compromising the confidentiality, integrity, and availability of the system. This could lead to unauthorized control, data breaches, or disruption of services. However, exploitation is currently difficult due to the disabled functionality, and no public exploits are known. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence and accessibility of the sendCommand function and the runcmd.sh script in the affected FLIR FB-Series O and FH-Series ID firmware version 1.3.2.16. Since the vulnerability is related to command injection via the cmd argument, you can attempt to identify if the backend script is accessible or enabled by scanning for the production.html page or the runcmd.sh script on the device. Network scanning tools like nmap can be used to detect open CGI endpoints. Additionally, inspecting the server CGI configuration to verify if the sendCommand functionality is enabled or disabled is important. Specific commands are not provided in the resources, but general approaches include using curl or wget to test access to the production.html page or the runcmd.sh script, for example: curl http://<device-ip>/production.html or curl http://<device-ip>/runcmd.sh. Monitoring logs for unusual command execution attempts or unexpected network traffic may also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include verifying and ensuring that the vulnerable sendCommand functionality is disabled by maintaining the current server CGI configuration errors that prevent its activation. Since the vendor has not provided any patches or countermeasures, and the functionality is currently disabled, it is critical to avoid changing server configurations that might enable this feature. Replacement of the affected product is suggested as a precaution. Additionally, restricting network access to the device, especially from untrusted networks, can reduce the risk of remote exploitation. Monitoring for any changes in server configuration or unexpected activation of the vulnerable functionality is also recommended. [2]