CVE-2025-5695 is a command injection vulnerability identified in the Teledyne FLIR AX8 thermal monitoring device firmware versions 1.46.0 through 1.46.16. The vulnerability resides in the backend PHP component, specifically within the functions subscribe_to_spot, subscribe_to_delta, and subscribe_to_alarm in the /usr/www/application/models/subscriptions.php file. These functions handle subscription requests for various alert types. Due to insufficient input validation or sanitization, an attacker can inject arbitrary commands that the system executes with the privileges of the backend process. The vulnerability is remotely exploitable over the network without requiring user interaction but does require the attacker to have high privileges, indicating some form of authentication or elevated access is needed. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects a medium severity with partial impacts on confidentiality, integrity, and availability. The vendor has addressed the issue in firmware version 1.49.16 by refactoring the internal web interface to handle these vulnerabilities properly. Although no active exploits have been reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The flaw could allow attackers to execute arbitrary commands remotely, potentially leading to unauthorized data access, system manipulation, or denial of service conditions on affected devices.

For European organizations, the impact of this vulnerability can be significant, particularly for those relying on FLIR AX8 devices for critical thermal monitoring in industrial, infrastructure, or security environments. Successful exploitation could allow attackers to execute arbitrary commands remotely, potentially leading to unauthorized access to sensitive operational data, manipulation of device functions, or disruption of monitoring capabilities. This could affect operational continuity, safety monitoring, and incident response effectiveness. Confidentiality may be compromised if attackers extract sensitive data, while integrity and availability could be degraded if attackers alter device behavior or cause service interruptions. Given the medium severity and requirement for high privileges, the risk is elevated in environments where device access controls are weak or where attackers can escalate privileges. The public disclosure and availability of patches mean organizations delaying updates face increased exposure to targeted attacks or automated exploitation attempts.

European organizations should immediately verify the firmware versions of their deployed FLIR AX8 devices and prioritize upgrading to version 1.49.16 or later to remediate the vulnerability. Network segmentation should be enforced to restrict access to device management interfaces, limiting exposure to trusted administrators only. Implement strong authentication and access control mechanisms to prevent unauthorized privilege escalation. Regularly audit device logs and monitor network traffic for unusual commands or subscription requests that could indicate exploitation attempts. Employ intrusion detection systems tuned to detect command injection patterns targeting FLIR AX8 devices. Additionally, disable or restrict unnecessary subscription features if not in use to reduce the attack surface. Establish a patch management process to ensure timely application of vendor updates and maintain an inventory of all IoT and OT devices to facilitate vulnerability management. Finally, conduct security awareness training for personnel managing these devices to recognize and respond to potential compromise indicators.