CVE-2025-6266 is a vulnerability identified in the FLIR AX8 thermal imaging camera series, affecting all firmware versions up to and including 1.46. The vulnerability resides in the /upload.php endpoint, where the 'File' parameter is improperly validated, allowing an attacker to perform unrestricted file uploads remotely without requiring authentication or user interaction. This flaw enables an adversary to upload arbitrary files, potentially including malicious scripts or executables, which could lead to remote code execution, system compromise, or persistent backdoors within the device. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its network attack vector, low attack complexity, no privileges required, and no user interaction needed. However, the impact on confidentiality, integrity, and availability is rated low, suggesting limited direct damage to the device's core functions or data. Despite the medium CVSS score, the unrestricted upload capability is a critical security concern because it can serve as an initial foothold for attackers to pivot into broader network environments where the FLIR AX8 is deployed. The vendor has not responded to early disclosure attempts, and no patches or mitigations have been officially released, increasing the risk of exploitation once public proof-of-concept code becomes available. No known exploits are currently reported in the wild, but the public disclosure of the vulnerability details raises the likelihood of imminent exploitation attempts.

For European organizations, the FLIR AX8 is commonly used in industrial, manufacturing, energy, and critical infrastructure sectors for thermal monitoring and safety. Exploitation of this vulnerability could allow attackers to compromise these devices, leading to unauthorized access to sensitive operational environments. This could result in disruption of monitoring capabilities, manipulation of thermal data, or use of the device as a pivot point for lateral movement within corporate or industrial networks. Given the device's role in safety and operational continuity, an attacker could indirectly cause physical damage or safety incidents by interfering with thermal monitoring systems. The lack of authentication and remote exploitability increases the risk for organizations with internet-facing or poorly segmented FLIR AX8 devices. The absence of vendor patches means organizations must rely on compensating controls, increasing operational complexity and risk. The impact on confidentiality is moderate since attackers could access device data or network segments; integrity and availability impacts are potentially more severe if attackers disrupt device functionality or inject malicious payloads. Overall, the vulnerability poses a significant risk to European organizations relying on FLIR AX8 devices in critical operational roles.

1. Immediate network segmentation: Isolate FLIR AX8 devices from direct internet exposure and restrict access to trusted management networks only. 2. Implement strict firewall rules to limit inbound and outbound traffic to and from the devices, allowing only necessary protocols and IP addresses. 3. Monitor network traffic for unusual upload attempts or anomalous connections to /upload.php endpoints. 4. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting file upload vulnerabilities. 5. Where possible, disable or restrict the upload functionality on the device, or replace the device with a more secure alternative if no patch is forthcoming. 6. Conduct regular vulnerability assessments and penetration tests focusing on FLIR AX8 devices and their network environment. 7. Maintain an inventory of all FLIR AX8 devices and their firmware versions to prioritize risk management. 8. Engage with FLIR support channels and monitor for any future patches or advisories. 9. Consider deploying application-layer gateways or reverse proxies that can filter and validate file uploads to the device if feasible. 10. Educate operational technology (OT) and IT teams about this vulnerability to ensure rapid incident response if exploitation is detected.