CVE-2017-20216
Published: 08 January 2026
Summary
CVE-2017-20216 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2017-20216 is a set of multiple unauthenticated remote command injection vulnerabilities affecting FLIR Thermal Camera PT-Series firmware version 8.0.0.64. The flaws reside in the controllerFlirSystem.php script, where the execFlirSystem() function processes unsanitized POST parameters through shell_exec() calls, enabling attackers to execute arbitrary system commands as root. This OS command injection issue, classified under CWE-78, carries a critical CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers with network access to the affected device can exploit these vulnerabilities remotely without user interaction or privileges. Exploitation allows full root-level command execution, granting high-impact control over confidentiality, integrity, and availability, such as running malicious code, exfiltrating data, altering configurations, or disrupting device operations.
Advisories and detailed analyses, including proof-of-concept exploits, are available in references such as https://cxsecurity.com/issue/WLB-2017090203, https://packetstormsecurity.com/files/144321, an archived FLIR security blog post at https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043, https://www.exploit-db.com/exploits/42785/, and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.php. Security practitioners should review these for vendor-recommended patches, firmware updates, or temporary mitigations like network segmentation.
Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC), shortly before the CVE publication on 2026-01-08, confirming real-world activity against exposed PT-Series cameras.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1608
Vulnerability details
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence…
more
was observed by the Shadowserver Foundation on 2026-01-06 (UTC).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection in a public-facing web script (controllerFlirSystem.php) via shell_exec() directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution as root (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of all inputs, directly preventing command injection by ensuring POST parameters are sanitized before passing to shell_exec in the execFlirSystem function.
AC-14 restricts actions performable without identification or authentication, preventing unauthenticated remote exploitation of the controllerFlirSystem.php vulnerabilities.
SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating the command injection vulnerabilities through firmware patching.