Cyber Resilience

CVE-2017-20216

CriticalPublic PoCRCE

Published: 08 January 2026

Published
08 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1064 95.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2017-20216 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2017-20216 is a set of multiple unauthenticated remote command injection vulnerabilities affecting FLIR Thermal Camera PT-Series firmware version 8.0.0.64. The flaws reside in the controllerFlirSystem.php script, where the execFlirSystem() function processes unsanitized POST parameters through shell_exec() calls, enabling attackers to execute arbitrary system commands as root. This OS command injection issue, classified under CWE-78, carries a critical CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers with network access to the affected device can exploit these vulnerabilities remotely without user interaction or privileges. Exploitation allows full root-level command execution, granting high-impact control over confidentiality, integrity, and availability, such as running malicious code, exfiltrating data, altering configurations, or disrupting device operations.

Advisories and detailed analyses, including proof-of-concept exploits, are available in references such as https://cxsecurity.com/issue/WLB-2017090203, https://packetstormsecurity.com/files/144321, an archived FLIR security blog post at https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043, https://www.exploit-db.com/exploits/42785/, and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.php. Security practitioners should review these for vendor-recommended patches, firmware updates, or temporary mitigations like network segmentation.

Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC), shortly before the CVE publication on 2026-01-08, confirming real-world activity against exposed PT-Series cameras.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence…

more

was observed by the Shadowserver Foundation on 2026-01-06 (UTC).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote command injection in a public-facing web script (controllerFlirSystem.php) via shell_exec() directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution as root (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of all inputs, directly preventing command injection by ensuring POST parameters are sanitized before passing to shell_exec in the execFlirSystem function.

prevent

AC-14 restricts actions performable without identification or authentication, preventing unauthenticated remote exploitation of the controllerFlirSystem.php vulnerabilities.

prevent

SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating the command injection vulnerabilities through firmware patching.

References