CVE-2025-5126
Published: 24 May 2025
Summary
CVE-2025-5126 is a high-severity Injection (CWE-74) vulnerability in Flir Flir Ax8 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A command injection vulnerability exists in Teledyne FLIR AX8 devices running firmware up to version 1.46.16. The flaw resides in the setDataTime function of the settingsregional.php model, where unsanitized input to the year, month, day, hour, or minute parameters is passed to system commands, corresponding to CWE-74 and CWE-77 weaknesses.
An authenticated remote attacker with network access can supply crafted parameter values to execute arbitrary operating-system commands on the device. Successful exploitation yields high impact on confidentiality, integrity, and availability, allowing an adversary to run code, alter device behavior, or disrupt operations without user interaction.
Publicly available proof-of-concept code demonstrates the injection via the $hour and $minute parameters. The vendor states that upgrading to firmware 1.49.16 resolves the issue through a refactoring of the internal web interface; the EPSS score has remained flat at 0.1095 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16221
Vulnerability details
A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be initiated remotely. The exploit has…
more
been made public and could be used. Upgrading to version 1.49.16 is able to resolve this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing web application (settingsregional.php) enables remote exploitation of public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.