CVE-2017-20216
Remote Command Injection in FLIR PT-Series Firmware Allows Root Access
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flir | thermal_camera_pt_series | 8.0.0.64 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the FLIR Thermal Camera PT-Series firmware version 8.0.0.64, specifically in the controllerFlirSystem.php script's execFlirSystem() function. It allows unauthenticated remote attackers to inject arbitrary system commands because several POST parameters are not properly sanitized before being passed to PHP's shell_exec() function. Exploiting this flaw, attackers can execute commands with root privileges by sending crafted POST requests to the device's maintenance interface, potentially creating a web shell (test.php) that enables further remote root command execution. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary commands with root privileges on the affected FLIR Thermal Camera PT-Series devices without any authentication. This means attackers can fully control the device, bypass access controls, modify configurations, deploy malicious code such as web shells, and potentially use the device as a foothold to attack other systems within the network. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable FLIR PT-Series Thermal Camera firmware version 8.0.0.64 and by monitoring for suspicious POST requests to the device's maintenance interface, typically on port 8088. Specifically, crafted POST requests targeting the controllerFlirSystem.php script with parameters that could lead to command injection are indicators. Additionally, detection can involve scanning for the presence of the malicious web shell file (test.php) created by the exploit. A practical approach includes using network tools like curl or wget to send test POST requests to the device's maintenance interface to verify if it is vulnerable. For example, commands to probe the device might include sending crafted POST requests to http://<device-ip>:8088/controllerFlirSystem.php and checking for unexpected responses or the creation of test.php. Monitoring network traffic for unusual HTTP POST requests to port 8088 or the presence of test.php on the device can also help detect exploitation attempts. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Applying the official patches released by FLIR on October 9, 2017, which address the command injection vulnerabilities in firmware version 8.0.0.64 and related software versions. 2) Restricting network access to the device's maintenance interface (port 8088) to trusted administrators only, ideally by firewall rules or network segmentation. 3) Monitoring and removing any unauthorized web shells such as test.php if present on the device. 4) Disabling or limiting remote access features until patches can be applied. 5) Regularly auditing device firmware versions and updating to the latest secure releases. These steps help prevent exploitation by blocking unauthenticated remote command injections and reducing the attack surface. [3]