CVE-2025-5126 is a critical command injection vulnerability affecting the FLIR AX8 thermal imaging camera devices running firmware versions up to 1.46.16. The vulnerability resides in the setDataTime function within the file \usr\www\application\models\settingsregional.php. This function processes date and time parameters such as year, month, day, hour, and minute. Improper sanitization or validation of these input parameters allows an attacker to inject arbitrary commands that the system executes. The vulnerability is remotely exploitable without requiring user interaction or authentication, making it highly dangerous. The CVSS 4.0 base score is 8.7, reflecting high severity, with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The vendor FLIR was notified early but has not responded or released a patch, and no official remediation is currently available. Although no known exploits are reported in the wild yet, public disclosure of the exploit code increases the risk of active exploitation. The vulnerability could allow attackers to execute arbitrary system commands, potentially leading to full device compromise, data theft, manipulation of thermal imaging data, or use of the device as a pivot point for further network attacks.

For European organizations using FLIR AX8 devices, especially in critical infrastructure, manufacturing, energy, or building management sectors, this vulnerability poses a significant risk. Compromise of these devices can lead to unauthorized access to sensitive thermal imaging data, disruption of monitoring and safety systems, and potential lateral movement within corporate networks. Given the remote exploitability without authentication, attackers can target exposed devices over the internet or internal networks. The impact on confidentiality, integrity, and availability is high, potentially affecting operational continuity and safety. Additionally, the lack of vendor response and patch availability increases exposure time. Organizations relying on FLIR AX8 for safety monitoring or industrial control may face regulatory and compliance risks under European data protection and critical infrastructure security laws if exploited.

Immediate mitigation steps include isolating FLIR AX8 devices from untrusted networks and restricting access to trusted administrators only via network segmentation and firewall rules. Disable any remote management interfaces if not required. Monitor network traffic for unusual commands or connections to these devices. Implement strict input validation proxies or web application firewalls (WAF) that can detect and block suspicious payloads targeting the setDataTime function parameters. Since no official patch is available, organizations should engage with FLIR support for guidance and monitor for firmware updates. Consider replacing or temporarily removing vulnerable devices from critical environments if feasible. Conduct thorough audits of device configurations and logs to detect any signs of compromise. Finally, raise awareness among security teams about this vulnerability to ensure rapid incident response if exploitation attempts occur.