CVE-2025-5695 is a command injection vulnerability identified in the FLIR AX8 thermal imaging camera, specifically affecting firmware versions up to 1.46.16. The flaw resides in the backend component, within the /usr/www/application/models/subscriptions.php file, impacting the functions subscribe_to_spot, subscribe_to_delta, and subscribe_to_alarm. These functions handle subscription mechanisms likely related to event notifications or alarms generated by the device. Due to insufficient input validation or sanitization, an attacker can remotely inject arbitrary commands through these subscription functions, leading to command execution on the underlying operating system. The vulnerability does not require user interaction and can be exploited remotely without authentication, although the CVSS vector indicates a requirement for high privileges (PR:H), suggesting that some level of authenticated access or elevated privileges might be necessary to exploit. The CVSS 4.0 score is 5.1 (medium severity), reflecting a network attack vector with low complexity but limited impact on confidentiality, integrity, and availability. The vendor has released a patched firmware version 1.55.16 that addresses this issue. No known exploits are currently reported in the wild, but public disclosure of the exploit code increases the risk of exploitation. The FLIR AX8 is widely used in industrial environments for thermal monitoring and predictive maintenance, making this vulnerability a concern for critical infrastructure and manufacturing sectors relying on these devices for safety and operational continuity.

For European organizations, the exploitation of this vulnerability could lead to unauthorized command execution on FLIR AX8 devices, potentially allowing attackers to disrupt thermal monitoring, disable alarms, or manipulate sensor data. This could impair industrial safety systems, lead to undetected equipment failures, or cause operational downtime. Confidentiality impact is limited, but integrity and availability of monitoring data and alarms could be compromised, affecting decision-making and safety responses. Organizations in manufacturing, energy, utilities, and critical infrastructure sectors that deploy FLIR AX8 cameras are at risk. The medium severity rating suggests that while the vulnerability is serious, exploitation may require privileged access, somewhat limiting the attack surface. However, given the critical role of these devices in safety monitoring, even limited exploitation could have significant operational consequences. The public availability of exploit details increases the urgency for European organizations to apply patches promptly to avoid potential targeted attacks or ransomware scenarios leveraging compromised devices as footholds.

European organizations should immediately verify the firmware version of all deployed FLIR AX8 devices and plan an upgrade to version 1.55.16 or later, which contains the fix for CVE-2025-5695. Network segmentation should be enforced to isolate FLIR AX8 devices from untrusted networks and limit administrative access to trusted personnel only. Implement strict access controls and monitor authentication logs for suspicious activity, as exploitation requires high privileges. Employ network intrusion detection systems (NIDS) with signatures or heuristics to detect anomalous command injection attempts targeting subscription functions. Disable or restrict subscription features if not required operationally. Regularly audit device configurations and firmware versions as part of asset management. Additionally, organizations should engage with FLIR support for any vendor-specific security advisories and consider compensating controls such as application-layer firewalls or VPNs to secure remote management interfaces. Incident response plans should include procedures for isolating compromised devices and forensic analysis to assess impact.