CVE-2018-25138
Hard-Coded Credentials in FLIR AX8 Enable Unauthorized Access
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lighttpd | lighttpd | 1.4.33 |
| flir | neco_v1.8-0-g7ffe5b3 | * |
| flir | flir_ax8_thermal_camera | 1.32.16 |
| flir | flir_ax8_thermal_camera | 1.17.13 |
| php | php | 5.4.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the FLIR AX8 Thermal Camera firmware version 1.32.16 (and also version 1.17.13) where hard-coded SSH and web panel credentials are embedded within the device's Linux distribution image. These credentials cannot be changed through normal camera operations. Attackers can exploit these persistent, default credentials to gain unauthorized shell access and log into multiple camera interfaces, including SSH and the web panel, using predefined username and password combinations. [2, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers to gain unauthorized access to the FLIR AX8 Thermal Camera by using hard-coded credentials. This unauthorized access can lead to compromise of device security, unauthorized shell access, and login to multiple interfaces. It can potentially disrupt critical industrial monitoring operations, cause denial of service (DoS), and expose sensitive monitoring data. Since the credentials cannot be changed, the device remains vulnerable until patched. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the FLIR AX8 Thermal Camera using the known hard-coded credentials via SSH or the web panel. Specifically, you can try SSH login attempts with username 'fliruser' and password '3vlig', or root user with password 'hello'. For the web panel, try default credentials such as 'admin:admin', 'user:user', and 'viewer:viewer'. Network scanning tools can also be used to identify devices running the affected firmware versions and services (SSH, web panel). Example commands include: 1) ssh fliruser@<device_ip> and enter password '3vlig'; 2) ssh root@<device_ip> with password 'hello'; 3) using curl or a browser to access the web panel and attempt login with default credentials. These attempts can confirm if the device is vulnerable. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the affected FLIR AX8 Thermal Cameras by isolating them from untrusted networks, implementing firewall rules to block unauthorized SSH and web panel access, and monitoring for unauthorized login attempts. Since the hard-coded credentials cannot be changed through normal camera operations, it is critical to apply any available patches or firmware updates provided by FLIR once released. Additionally, following FLIR's cybersecurity best practices and hardening guides is recommended to reduce exposure until a patch is applied. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized access to the device through hard-coded credentials, it could potentially lead to unauthorized access to sensitive data or disruption of critical industrial monitoring operations, which may affect compliance with security and privacy requirements in such regulations. No direct statements about compliance impact are available in the provided text. [2, 3]