Cyber Resilience

CVE-2018-25138

CriticalPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
05 January 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25138 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Flir Flir Ax8 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2018-25138 is a critical vulnerability in the FLIR AX8 Thermal Camera version 1.32.16, involving hard-coded credentials for SSH access and the web panel that cannot be modified through normal camera operations. These persistent, predefined username and password combinations enable unauthorized access, classified under CWE-798 (Use of Hard-coded Credentials). The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential impact across confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability without privileges, authentication, or user interaction by simply using the exposed credentials to gain shell access via SSH or log into multiple camera interfaces. Successful exploitation grants full unauthorized control over the affected device, allowing attackers to execute arbitrary commands, manipulate camera functions, or pivot to other network assets.

Advisories and additional details are available from Zero Science Labs (ZSL-2018-5494 at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/45629), and the vendor site (https://www.flir.com), which may provide mitigation or patch guidance.

EU & UK References

Vulnerability details

FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username…

more

and password combinations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

Hard-coded credentials enable use of default accounts (T1078.001) for initial access via SSH (T1021.004) and external remote services like web panel (T1133).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25139Same product: Flir Flir Ax8
CVE-2025-35451Shared CWE-798
CVE-2019-25241Shared CWE-798
CVE-2020-37092Shared CWE-798
CVE-2024-46436Shared CWE-798
CVE-2026-42375Shared CWE-798
CVE-2026-23647Shared CWE-798
CVE-2026-28777Shared CWE-798
CVE-2024-46429Shared CWE-798
CVE-2026-42376Shared CWE-798

Affected Assets

flir
flir ax8 firmware
1.17.13, 1.32.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires secure management of authenticators including generation of strong, unique, and changeable credentials, directly preventing the use of unmodifiable hard-coded SSH and web panel credentials.

prevent

AC-2 mandates identification, provisioning, and management of accounts with unique authenticators, enabling disablement or modification of accounts tied to hard-coded credentials.

prevent

CM-6 enforces secure configuration settings for system components, allowing verification and correction of default or hard-coded credentials during deployment and maintenance.

References