A critical remote command injection vulnerability exists in multiple FLIR Thermal Camera products. This flaw allows an unauthenticated attacker on the network to execute arbitrary commands with the highest privileges (root), enabling them to take complete control of the affected camera, access sensitive video feeds, and potentially pivot to attack other systems on the internal network.

The vulnerability lies within the controllerFlirSystem.php script accessible on the device's web interface. The execFlirSystem() function within this script fails to properly sanitize user-supplied input sent via POST requests. An unauthenticated remote attacker can craft a malicious POST request containing arbitrary system commands, which are then passed directly to a shell_exec() call and executed on the underlying operating system with root privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation grants an attacker complete control over the affected thermal camera. This could lead to a severe breach of physical security by disabling surveillance, manipulation of video feeds, or exfiltration of sensitive thermal imaging data. Furthermore, the compromised device can be used as a staging point for lateral movement, allowing attackers to pivot and launch further attacks against the internal corporate network, posing a significant risk of a wider data breach or operational disruption.

Immediate Action: Immediately apply the latest firmware updates provided by FLIR to all affected thermal camera products to patch the vulnerability. Concurrently, review system and network access logs for any signs of compromise, paying close attention to requests targeting the controllerFlirSystem.php script.

Proactive Monitoring: Monitor network traffic for suspicious POST requests to the /cgi-bin/controllerFlirSystem.php endpoint on FLIR devices. System administrators should also watch for unusual outbound network connections from the cameras, unexpected running processes, or modifications to system files that could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement network segmentation to isolate the thermal cameras from critical internal networks. Use a firewall or network access control lists (ACLs) to restrict access to the camera's web management interface to only trusted administrative workstations.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and confirmed evidence of active exploitation in the wild, this vulnerability requires immediate attention. Organizations must prioritize applying the vendor-supplied firmware updates to all affected FLIR cameras without delay. Although this CVE is not currently on the CISA KEV list, its active exploitation status warrants treating it with the same level of urgency as a KEV-listed vulnerability. Implementing compensating controls, such as network segmentation for all IoT/OT devices, should be considered a standard security practice to mitigate the risk of similar vulnerabilities in the future.