CVE-2017-20212
Information Disclosure in FLIR Thermal Camera Firmware via Unauthenticated File Read
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flir | thermal_camera_f_fc_pt_d | 8.0.0.64 |
| flir | thermal_camera_f_fc_pt_d | 10.0.2.43 |
| flir | thermal_camera_f_fc_pt_d | From 1.3.2 (inc) to 1.4.1 (inc) |
| flir | nexus_server | From 2.5.13.0 (inc) to 2.5.29.0 (inc) |
| flir | lighttpd | 1.4.28 |
| flir | php | 5.4.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in FLIR Thermal Camera F/FC/PT/D series firmware version 8.0.0.64 and related software. It is caused by improper input validation in the web API endpoint `/api/xml`, specifically in the `readFile` function in `/var/www/data/controllers/api/xml.php`. The function accepts a `file` parameter that is not properly sanitized or verified before being used to read files from the local filesystem. As a result, an unauthenticated attacker can exploit this flaw to read arbitrary files on the device, including sensitive system files, configuration files, password hashes, and user credentials, without needing any authentication. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to significant information disclosure risks. An attacker can remotely and without authentication read arbitrary files on the affected FLIR Thermal Camera devices. This includes sensitive files such as system configuration files, password hashes, SSH authorized keys, user credential files containing MD5 hashed usernames and passwords, and other critical system scripts. Exposure of such information can enable attackers to gain further unauthorized access, compromise the device, or use the disclosed information to attack other systems in the network. The vulnerability poses a medium to high risk of information exposure and potential system compromise. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable API endpoint on the FLIR Thermal Camera using HTTP requests that include the 'file' parameter to read arbitrary files. For example, you can use curl commands to request sensitive files such as /etc/passwd or configuration files via the API endpoint `/api/xml.php`. A sample command to test the vulnerability is: curl "http://<camera-ip>/api/xml.php?file=/etc/passwd". If the contents of the file are returned without authentication, the system is vulnerable. Monitoring network traffic for such suspicious requests to `/api/xml.php` with a 'file' parameter can also help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable API endpoint `/api/xml.php` by implementing network-level controls such as firewall rules to limit access only to trusted users or management networks. Additionally, updating the firmware and software of the FLIR Thermal Camera to versions where this vulnerability is patched is recommended. If updates are not immediately available, disabling or restricting the web interface or API access temporarily can reduce exposure. Changing default credentials is also advised to prevent further unauthorized access. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to read arbitrary files on FLIR Thermal Cameras, potentially exposing sensitive system information, user credentials, and configuration data. Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 2, 3]