Home

Description

EN DE

A vulnerability has been found in Teledyne FLIR AX8 up to 1.46.16. This impacts the function subscribe_to_spot/subscribe_to_delta/subscribe_to_alarm of the file /usr/www/application/models/subscriptions.php of the component Backend. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.49.16 will fix this issue. It is suggested to upgrade the affected component. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."

In Teledyne FLIR AX8 up to 1.46.16 ist eine Schwachstelle entdeckt worden. Betroffen hiervon ist die Funktion subscribe_to_spot/subscribe_to_delta/subscribe_to_alarm der Datei /usr/www/application/models/subscriptions.php der Komponente Backend. Mittels dem Manipulieren mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgeführt werden. Der Exploit wurde der Öffentlichkeit bekannt gemacht und könnte verwendet werden. Durch ein Upgrade auf Version 1.49.16 kann dieses Problem behoben werden. Es wird empfohlen, die betroffene Komponente zu aktualisieren.

PUBLISHED Reserved 2025-06-04 | Published 2025-06-05 | Updated 2025-10-15 | Assigner VulDB




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 4.7CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
5.8AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Command Injection

Injection

Product status

1.46.0
affected

1.46.1
affected

1.46.2
affected

1.46.3
affected

1.46.4
affected

1.46.5
affected

1.46.6
affected

1.46.7
affected

1.46.8
affected

1.46.9
affected

1.46.10
affected

1.46.11
affected

1.46.12
affected

1.46.13
affected

1.46.14
affected

1.46.15
affected

1.46.16
affected

1.49.16
unaffected

Timeline

2025-06-04:Advisory disclosed
2025-06-04:VulDB entry created
2025-10-15:VulDB entry last update

Credits

XU17 (VulDB User) reporter

References

vuldb.com/?id.311211 (VDB-311211 | Teledyne FLIR AX8 Backend subscriptions.php subscribe_to_alarm command injection) vdb-entry technical-description

vuldb.com/?ctiid.311211 (VDB-311211 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.585715 (Submit #585715 | FLIR AX8 <= 1.46 Remote Command Injection) third-party-advisory

vuldb.com/?submit.584532 (Submit #584532 | FLIR AX8 <= 1.46 Command Injection (Duplicate)) third-party-advisory

vuldb.com/?submit.585716 (Submit #585716 | FLIR AX8 <= 1.46 Remote Command Injection (Duplicate)) third-party-advisory

github.com/...rability in subscribe_to_spot() in FLIR AX8.md broken-link

github.com/...ability in subscribe_to_delta() in FLIR AX8.md broken-link exploit

flir.custhelp.com/app/account/fl_download_software patch

cve.org (CVE-2025-5695)

nvd.nist.gov (CVE-2025-5695)

Download JSON