Home

Description

FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. Attackers can exploit the /var/www/data/controllers/api/xml.php readFile() function to access local system files without authentication.

PUBLISHED Reserved 2026-01-06 | Published 2026-01-07 | Updated 2026-01-08 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 6.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

8.0.0.64
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5434.php exploit

www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5434.php (Zero Science Lab Vulnerability Advisory) third-party-advisory

www.exploit-db.com/exploits/42786/ (Exploit Database Entry 42786) exploit

packetstormsecurity.com/files/144322 (Packet Storm Security Exploit Archive) exploit

cxsecurity.com/issue/WLB-2017090202 (CXSecurity Vulnerability Listing) third-party-advisory

web.archive.org/....flir.com/security/blog/details/?ID=87043 (Archived FLIR Security Advisory) vendor-advisory patch

cve.org (CVE-2017-20212)

nvd.nist.gov (CVE-2017-20212)

Download JSON