CVE-2018-25138

Published: Dec 24, 2025Modified: Jan 5, 2026

9.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: disclosure@vulncheck.com (Secondary)

Description

FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations.

Affected (2)

Products: Flir: Flir Ax8 Firmware

1 product

Flir Ax8 Firmware

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Flir Flir Ax8 Firmware	Version 1.32.16

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Flir Flir Ax8 Firmware	Version 1.17.13

Running on/with	Platform Versions
Flir Flir Ax8	All versions

Related CWEs

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (4)

https://www.exploit-db.com/exploits/45629

Source: disclosure@vulncheck.com

ExploitThird Party AdvisoryVDB Entry

https://www.flir.com

Source: disclosure@vulncheck.com

Product

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php

Source: disclosure@vulncheck.com

ExploitThird Party Advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.