A critical command injection vulnerability in the Teledyne FLIR AX8 allows for remote code execution, posing a severe threat to the security of the affected hardware.

This vulnerability resides in the setDataTime function located in the settingsregional.php file. By injecting malicious input into the year, month, day, hour, or minute parameters, an attacker can achieve command injection, leading to arbitrary code execution on the device.

Remote code execution on industrial or security hardware like the FLIR AX8 can lead to full device takeover, potentially allowing attackers to pivot into the internal network or disrupt critical operations. Given the CVSS score of 8.8, this flaw represents an urgent risk to operational technology (OT) environments.

Immediate Action: Update the firmware to version 1.49.16 or later as provided by the vendor.

Proactive Monitoring: Monitor network traffic to and from the device for anomalous command patterns or unexpected outbound connections.

Compensating Controls: Isolate the device within a segmented network and use a firewall to restrict access to the web management interface to authorized management stations only.

Public Exploit Available: true

The potential for remote code execution makes this a critical priority. Organizations utilizing the Teledyne FLIR AX8 must apply the 1.49.16 firmware update immediately and ensure that these devices are not directly exposed to the public internet.