CVE-2017-20214
Hard-Coded SSH Credentials in FLIR Thermal Camera Firmware Enable Unauthorized Access
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flir | thermal_camera | 8.0.0.64 |
| flir | thermal_camera | 10.0.2.43 |
| flir | thermal_camera | From 1.3.2 (inc) to 1.4.1 (inc) |
| flir | nexus_server | From 2.5.13.0 (inc) to 2.5.29.0 (inc) |
| lighttpd | lighttpd | 1.4.28 |
| php | php | 5.4.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves FLIR Thermal Camera models from the F/FC/PT/D series containing hard-coded SSH credentials embedded within their Linux-based firmware. These credentials are permanently set by the manufacturer and cannot be changed or removed through any standard camera operation or user interface. Because of this, attackers can use these persistent credentials to gain unauthorized remote SSH access to the camera system. [1, 2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability allows remote attackers to gain unauthorized root-level SSH access to the affected FLIR thermal cameras. This means attackers can take full control of the device, potentially compromising the camera's data, surveillance capabilities, and overall security. Such unauthorized access poses a high security risk, especially in environments relying on these cameras for monitoring and security. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning for devices running the affected FLIR Thermal Camera firmware versions (such as 8.0.0.64) and attempting to connect via SSH using the known hard-coded credentials. The known usernames and passwords include root with password "indigo", root with password "video", default with password "video", default with a blank password, and ftp with password "video". You can use SSH client commands to test these credentials against the IP addresses of suspected FLIR cameras on your network. For example, using a command like `ssh root@<camera_ip>` and trying the passwords mentioned. Additionally, network scanning tools can be used to identify devices running SSH on typical FLIR camera ports and then attempt authentication with these credentials to confirm vulnerability. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include isolating the affected FLIR Thermal Cameras from untrusted networks to prevent unauthorized remote access. Since the hard-coded SSH credentials cannot be changed through normal camera operations, restricting network access via firewall rules or network segmentation is critical. Monitoring and logging SSH access attempts can help detect exploitation attempts. If possible, contact FLIR for firmware updates or patches that address this issue or consider replacing affected devices with models that do not contain hard-coded credentials. [1, 3]