Home

Description

FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Missing Authentication for Critical Function

Product status

V1.01-0bb5b27
affected

E1.00.09
affected

V1.02.P01
affected

V1.05.P01
affected

V1.04.P02
affected

V1.04
affected

V1.01.P02
affected

V1.05.P03
affected

V1.06
affected

V1.02.P02
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php exploit

www.exploit-db.com/exploits/45539 (ExploitDB-45539) exploit

www.flir.com (FLIR Systems Official Website) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php (Zero Science Lab Disclosure (ZSL-2018-5490)) third-party-advisory

cve.org (CVE-2018-25140)

nvd.nist.gov (CVE-2018-25140)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.