CVE-2025-5126

Published: May 24, 2025Modified: Oct 15, 2025

7.4

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 1.49.16 is able to resolve this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

Affected (1)

Products: Flir: Flir Ax8 Firmware

1 product

Flir Ax8 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Flir Flir Ax8 Firmware	From 1.46.0 to 1.46.16

Running on/with	Platform Versions
Flir Flir Ax8	All versions

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (9)

https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24hour.md

Source: cna@vuldb.com

ExploitThird Party Advisory

https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24minute.md

Source: cna@vuldb.com

ExploitThird Party Advisory

https://vuldb.com/?ctiid.310204

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.310204

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.570725

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.572266

Source: cna@vuldb.com

https://vuldb.com/?submit.572275

Source: cna@vuldb.com

https://vuldb.com/?submit.572277

Source: cna@vuldb.com

https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24minute.md

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.