CVE-2017-20216
published 2026-01-08CVE-2017-20216: FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
10.64%
95.2th percentile
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flir_systems_inc | flir_thermal_camera_pt-series | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR controllerFlirSystem.php dns Parameter Command Injection Attempt (CVE-2017-20216)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maintenance/controllerFlirSystem.php|3f|"; startswith; fast_pattern; pcre:"/(?:customDateTime|dhcpMode|dns|interface|tz|server(?:s|[01]))[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.zeroscience.mk/codes/flir0.txt; reference:cve,2017-20216; classtype:attempted-admin; sid:2066626; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_08, cve CVE_2017_20216, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests use HTTP GET method targeting /maintenance/controllerFlirSystem.php with command injection characters (;, newline, backtick, pipe, $) injected into POST/GET parameters: customDateTime, dhcpMode, dns, interface, tz, servers, server0, server1
- →Exploitation is unauthenticated and results in arbitrary OS command execution as root via shell_exec() calls in execFlirSystem() function; monitor for unexpected child processes spawned by a web server process on FLIR PT-Series devices ↗
- →Active exploitation observed in the wild by the Shadowserver Foundation on 2026-01-06 (UTC); prioritize detection and patching for internet-exposed FLIR PT-Series cameras ↗
- →Traffic is expected in plaintext (non-TLS); deploy detection at the network perimeter and internally for lateral movement scenarios
- ·Affected firmware is specifically version 8.0.0.64 of FLIR Thermal Camera PT-Series; scope detection to this product/version to reduce false positives ↗
- ·The Snort/Suricata rule (SID 2066626) targets inbound HTTP to $HOME_NET; ensure $HOME_NET is correctly scoped to include FLIR camera management network segments
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mh4f-6x7j-gjp8: FLIR Thermal Camera PT-Series firmware version 8
ghsa_unreviewed·2026-01-08
CVE-2017-20216 [CRITICAL] CWE-78 GHSA-mh4f-6x7j-gjp8: FLIR Thermal Camera PT-Series firmware version 8
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2017·CVSS 9.3
CVE-2017-20216 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).
Affected: FLIR Systems, Inc. FLIR Thermal Camera PT-Series
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2017-20216
Suricata
ET WEB_SPECIFIC_APPS FLIR controllerFlirSystem.php dns Parameter Command Injection Attempt (CVE-2017-20216)
suricata·2026-01-08·CVSS 9.3
CVE-2017-20216 [CRITICAL] ET WEB_SPECIFIC_APPS FLIR controllerFlirSystem.php dns Parameter Command Injection Attempt (CVE-2017-20216)
ET WEB_SPECIFIC_APPS FLIR controllerFlirSystem.php dns Parameter Command Injection Attempt (CVE-2017-20216)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR controllerFlirSystem.php dns Parameter Command Injection Attempt (CVE-2017-20216)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maintenance/controllerFlirSystem.php|3f|"; startswith; fast_pattern; pcre:"/(?:customDateTime|dhcpMode|dns|interface|tz|server(?:s|[01]))[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.zeroscience.mk/codes/flir0.txt; reference:cve,2017-20216; classtype:attempted-admin; sid:2066626; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_0
No public exploits indexed.
No writeups or analysis indexed.
https://cxsecurity.com/issue/WLB-2017090203https://packetstormsecurity.com/files/144321https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043https://www.exploit-db.com/exploits/42785/https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.phphttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.php
2026-01-08
Published
Exploited in the wild