CVE-2018-25140
Unauthenticated WebSocket Manipulation in FLIR Thermal Cameras
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flir | vip-ip | * |
| flir | ti_bpl2_edge | * |
| flir | trafiradar | * |
| flir | trafione | * |
| flir | traficam | * |
| flir | ti_x-stream | * |
| flir | trafisense | * |
| flir | thermicam | * |
| flir | thermal_traffic_cameras | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects FLIR thermal traffic cameras' WebSocket implementation, which lacks proper authentication and authorization controls. Attackers can bypass security by sending crafted WebSocket messages without authentication, allowing them to manipulate device configurations, access sensitive system information, and potentially cause denial of service by rebooting the device. Additionally, the devices do not support secure WebSocket connections (wss://), transmitting data in plaintext and exposing communications to man-in-the-middle attacks. The WebSocket service also fails to validate the Origin header, making it vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized exposure of sensitive system information, unauthorized modification of device configurations, and denial of service by remotely rebooting the devices. Attackers can gain full control over affected FLIR thermal traffic cameras, which can disrupt Intelligent Transportation Systems (ITS) operations, compromise traffic monitoring, and potentially cause safety and operational issues. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to connect to the device's WebSocket endpoint without authentication and observing if unauthorized commands are accepted. The WebSocket endpoint is typically ws://<device_ip>:13042/ws/xml2. Commands such as GetProductInformation, GetConfiguration, GetSystemLogs can be sent to retrieve sensitive information. Lack of HTTP 401 Unauthorized responses when connecting to the WebSocket endpoint indicates the vulnerability. A proof-of-concept Python script exists that demonstrates connecting and sending commands like GetProductInformation to confirm the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor-released patches and firmware updates available since September 17, 2018, which address the authentication and authorization issues. Additionally, network-level controls such as restricting access to the WebSocket port (13042) to trusted hosts, disabling WebSocket services if not needed, and monitoring for unusual WebSocket traffic can help reduce risk. Implementing network segmentation and using VPNs or secure tunnels to access devices can also mitigate exposure. Since the devices do not support secure WebSocket (wss://), encrypting traffic via other means is recommended. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive system information and device configurations, which could lead to exposure of personal or sensitive data. This unauthorized access and potential data exposure may result in non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls over access to sensitive information and device security. However, specific impacts on compliance are not detailed in the provided resources. [1, 2]