CVE-2025-5126 is a remote command injection vulnerability identified in the Teledyne FLIR AX8 thermal imaging camera devices running firmware versions up to 1.46.16. The vulnerability resides in the setDataTime function of the settingsregional.php file located at \usr\www\application\models\. This function processes date and time parameters such as year, month, day, hour, and minute. Improper input sanitization allows an attacker to inject arbitrary commands by manipulating these parameters. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly dangerous. The CVSS 4.0 score of 8.7 reflects its critical nature, with network attack vector, low attack complexity, and no privileges or user interaction needed. Successful exploitation could allow attackers to execute arbitrary commands on the device, potentially leading to full device compromise, data exfiltration, or pivoting into internal networks. The vendor has addressed the issue in firmware version 1.49.16 by refactoring the internal web interface to handle input safely. Although no active exploitation has been reported, the public availability of exploit code increases the risk of imminent attacks. The affected product, FLIR AX8, is widely used in industrial monitoring, building automation, and critical infrastructure sectors, making this vulnerability a significant concern for organizations relying on these devices.

For European organizations, the impact of CVE-2025-5126 can be severe, especially for those deploying FLIR AX8 devices in critical infrastructure such as energy plants, manufacturing facilities, and smart buildings. Exploitation could lead to unauthorized remote command execution, resulting in disruption of monitoring capabilities, manipulation of sensor data, or use of the compromised device as a foothold for lateral movement within corporate networks. This could affect operational continuity, safety monitoring, and compliance with regulatory requirements such as NIS2. Additionally, compromised devices could be leveraged to launch further attacks or exfiltrate sensitive data. Given the device’s role in physical environment monitoring, attackers might also cause physical damage or safety hazards by interfering with automated controls. The high severity and ease of exploitation make timely remediation essential to prevent potential operational and reputational damage.

1. Immediately upgrade all Teledyne FLIR AX8 devices to firmware version 1.49.16 or later to apply the official patch. 2. Implement network segmentation to isolate FLIR AX8 devices from critical internal networks and limit exposure to untrusted networks. 3. Restrict access to the device management interface using firewall rules and VPNs to reduce attack surface. 4. Monitor network traffic for unusual activity targeting the device’s web interface, especially suspicious requests manipulating date/time parameters. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics for command injection attempts against FLIR AX8 devices. 6. Regularly audit device configurations and logs for signs of compromise or unauthorized changes. 7. Coordinate with vendors and suppliers to ensure timely updates and vulnerability disclosures. 8. Consider deploying application-layer gateways or web application firewalls (WAFs) to filter malicious input targeting the vulnerable function.