CVE-2017-20215
published 2026-01-08CVE-2017-20215: FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
13.99%
96.1th percentile
FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. Authenticated attackers can inject arbitrary shell commands through unvalidated input parameters to gain complete control of the thermal camera system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flir_systems_inc | flir_thermal_camera_fc-s_pt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/page/maintenance/lanSettings/dns
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR dns dns Parameter Command Injection Attempt (CVE-2017-20215)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/page/maintenance/lanSettings/dns"; fast_pattern; http.request_body; content:"dns"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.zeroscience.mk/codes/flir_rce.txt; reference:cve,2017-20215; classtype:attempted-admin; sid:2066627; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_08, cve CVE_2017_20215, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic is HTTP POST to the exact URI path /page/maintenance/lanSettings/dns with a fixed URI byte size of 33; match on this path with POST method to identify exploitation attempts.
- →The injected payload in the POST body uses shell metacharacters (semicolon, newline, backtick, pipe, dollar sign) in URL-encoded or raw form within the 'dns' parameter; detect any of: ; %3B %3b, \n %0A %0a, ` %60, | %7C %7c, $ %24 appearing after the dns parameter value.
- →Traffic is expected in plaintext (non-TLS); focus detection on unencrypted HTTP sessions to/from FLIR thermal camera devices on the internal network.
- ·The vulnerability is authenticated — an attacker must first obtain valid credentials before injecting commands; detection of this exploit implies prior credential compromise or brute-force. ↗
- ·Affected firmware is specifically FLIR Thermal Camera FC-S/PT version 8.0.0.64; scope detection rules to this product/firmware version to reduce false positives. ↗
- ·The Snort/Suricata rule (sid:2066627) is designed for perimeter and internal deployment; ensure it is applied at both network boundaries for full coverage.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS FLIR dns dns Parameter Command Injection Attempt (CVE-2017-20215)
suricata·2026-01-08·CVSS 8.7
CVE-2017-20215 [HIGH] ET WEB_SPECIFIC_APPS FLIR dns dns Parameter Command Injection Attempt (CVE-2017-20215)
ET WEB_SPECIFIC_APPS FLIR dns dns Parameter Command Injection Attempt (CVE-2017-20215)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR dns dns Parameter Command Injection Attempt (CVE-2017-20215)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:33; content:"/page/maintenance/lanSettings/dns"; fast_pattern; http.request_body; content:"dns"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.zeroscience.mk/codes/flir_rce.txt; reference:cve,2017-20215; classtype:attempted-admin; sid:2066627; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_08, cve CVE_2017_20215, deployment Perimeter, deployment Internal, perf
No public exploits indexed.
No writeups or analysis indexed.
https://cxsecurity.com/issue/WLB-2017090207https://packetstormsecurity.com/files/144325https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043https://www.exploit-db.com/exploits/42788/https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.phphttps://cxsecurity.com/issue/WLB-2017090207https://www.exploit-db.com/exploits/42788/https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.php
2026-01-08
Published