CVE-2025-5127 is a cross-site scripting vulnerability identified in Teledyne FLIR AX8 thermal camera devices running firmware versions up to 1.46.16. The vulnerability is located in the processing of the 'cmd' argument within the /prod.php endpoint of the device's internal web server. Improper sanitization or validation of this parameter allows an attacker to inject malicious JavaScript code, which can be executed in the context of an authenticated user's browser session. This XSS flaw can be exploited remotely without requiring prior authentication, though it does require user interaction, such as clicking a malicious link or visiting a crafted webpage. The impact primarily affects confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized command execution within the web interface. Availability is not directly impacted. The vendor has publicly disclosed the vulnerability and released firmware version 1.49.16, which refactors the internal web interface to remediate the issue. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the ease of remote exploitation, lack of required privileges, but the necessity of user interaction and limited impact scope. No known exploits have been observed in the wild yet, but public disclosure increases risk. The FLIR AX8 is commonly used in industrial monitoring, security, and critical infrastructure environments, making this vulnerability relevant for organizations relying on these devices for operational safety and security.

For European organizations, the vulnerability poses a risk primarily to the confidentiality and integrity of device management sessions. Attackers exploiting this XSS flaw could hijack authenticated sessions, steal credentials, or perform unauthorized actions on the FLIR AX8 device's web interface. This could lead to manipulation of thermal monitoring data, disruption of security monitoring, or unauthorized access to sensitive operational information. Organizations in sectors such as manufacturing, energy, transportation, and public safety that deploy FLIR AX8 cameras for monitoring critical infrastructure or security perimeters are particularly at risk. Compromise of these devices could facilitate broader attacks on industrial control systems or physical security. While the vulnerability does not directly affect availability, the indirect consequences of unauthorized access could impact operational continuity. The medium severity rating suggests a moderate risk, but the presence of publicly disclosed exploit details necessitates prompt action to prevent targeted attacks, especially in high-value environments prevalent in Europe.

European organizations using Teledyne FLIR AX8 devices should immediately upgrade all affected devices to firmware version 1.49.16 or later, which contains the vendor's fix for this XSS vulnerability. Beyond patching, organizations should implement network segmentation to isolate FLIR AX8 devices from general user networks and restrict access to their web management interfaces to trusted administrators only, ideally via VPN or secure management networks. Employ web application firewalls (WAFs) or intrusion detection systems (IDS) to monitor and block suspicious HTTP requests targeting the /prod.php endpoint or containing suspicious 'cmd' parameter values. Conduct user awareness training to reduce the risk of social engineering attacks that could trigger user interaction with malicious links. Regularly audit device configurations and logs for signs of unauthorized access or anomalous activity. Finally, coordinate with asset owners to maintain an accurate inventory of deployed FLIR AX8 devices and ensure timely firmware updates as part of vulnerability management processes.