Cyber Resilience

CVE-2025-5126

HighPublic PoCRCE

Published: 24 May 2025

Published
24 May 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1095 93.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5126 is a high-severity Injection (CWE-74) vulnerability in Flir Flir Ax8 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A command injection vulnerability exists in Teledyne FLIR AX8 devices running firmware up to version 1.46.16. The flaw resides in the setDataTime function of the settingsregional.php model, where unsanitized input to the year, month, day, hour, or minute parameters is passed to system commands, corresponding to CWE-74 and CWE-77 weaknesses.

An authenticated remote attacker with network access can supply crafted parameter values to execute arbitrary operating-system commands on the device. Successful exploitation yields high impact on confidentiality, integrity, and availability, allowing an adversary to run code, alter device behavior, or disrupt operations without user interaction.

Publicly available proof-of-concept code demonstrates the injection via the $hour and $minute parameters. The vendor states that upgrading to firmware 1.49.16 resolves the issue through a refactoring of the internal web interface; the EPSS score has remained flat at 0.1095 with no material increase since disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be initiated remotely. The exploit has…

more

been made public and could be used. Upgrading to version 1.49.16 is able to resolve this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing web application (settingsregional.php) enables remote exploitation of public-facing application (T1190) for arbitrary Unix shell command execution (T1059.004).

Affected Assets

flir
flir ax8 firmware
1.46.0 — 1.46.16

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References