CVE-2017-20216
Unknown Unknown - Not Provided
Remote Command Injection in FLIR PT-Series Firmware Allows Root Access

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: VulnCheck

Description
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2017-20216
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flir thermal_camera_pt_series 8.0.0.64
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the FLIR Thermal Camera PT-Series firmware version 8.0.0.64, specifically in the controllerFlirSystem.php script's execFlirSystem() function. It allows unauthenticated remote attackers to inject arbitrary system commands because several POST parameters are not properly sanitized before being passed to PHP's shell_exec() function. Exploiting this flaw, attackers can execute commands with root privileges by sending crafted POST requests to the device's maintenance interface, potentially creating a web shell (test.php) that enables further remote root command execution. [1, 2, 3]

Impact Analysis

This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary commands with root privileges on the affected FLIR Thermal Camera PT-Series devices without any authentication. This means attackers can fully control the device, bypass access controls, modify configurations, deploy malicious code such as web shells, and potentially use the device as a foothold to attack other systems within the network. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable FLIR PT-Series Thermal Camera firmware version 8.0.0.64 and by monitoring for suspicious POST requests to the device's maintenance interface, typically on port 8088. Specifically, crafted POST requests targeting the controllerFlirSystem.php script with parameters that could lead to command injection are indicators. Additionally, detection can involve scanning for the presence of the malicious web shell file (test.php) created by the exploit. A practical approach includes using network tools like curl or wget to send test POST requests to the device's maintenance interface to verify if it is vulnerable. For example, commands to probe the device might include sending crafted POST requests to http://<device-ip>:8088/controllerFlirSystem.php and checking for unexpected responses or the creation of test.php. Monitoring network traffic for unusual HTTP POST requests to port 8088 or the presence of test.php on the device can also help detect exploitation attempts. [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include: 1) Applying the official patches released by FLIR on October 9, 2017, which address the command injection vulnerabilities in firmware version 8.0.0.64 and related software versions. 2) Restricting network access to the device's maintenance interface (port 8088) to trusted administrators only, ideally by firewall rules or network segmentation. 3) Monitoring and removing any unauthorized web shells such as test.php if present on the device. 4) Disabling or limiting remote access features until patches can be applied. 5) Regularly auditing device firmware versions and updating to the latest secure releases. These steps help prevent exploitation by blocking unauthenticated remote command injections and reducing the attack surface. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2017-20216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart