cbcvebase.
CVE-2017-20216
published 2026-01-08

CVE-2017-20216: FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
10.64%
95.2th percentile
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).

Affected

1 ranges
VendorProductVersion rangeFixed in
flir_systems_incflir_thermal_camera_pt-series

Detection & IOCsextracted from sources · hover to see the quote

path/maintenance/controllerFlirSystem.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR controllerFlirSystem.php dns Parameter Command Injection Attempt (CVE-2017-20216)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maintenance/controllerFlirSystem.php|3f|"; startswith; fast_pattern; pcre:"/(?:customDateTime|dhcpMode|dns|interface|tz|server(?:s|[01]))[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,www.zeroscience.mk/codes/flir0.txt; reference:cve,2017-20216; classtype:attempted-admin; sid:2066626; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_08, cve CVE_2017_20216, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests use HTTP GET method targeting /maintenance/controllerFlirSystem.php with command injection characters (;, newline, backtick, pipe, $) injected into POST/GET parameters: customDateTime, dhcpMode, dns, interface, tz, servers, server0, server1
  • Exploitation is unauthenticated and results in arbitrary OS command execution as root via shell_exec() calls in execFlirSystem() function; monitor for unexpected child processes spawned by a web server process on FLIR PT-Series devices
  • Active exploitation observed in the wild by the Shadowserver Foundation on 2026-01-06 (UTC); prioritize detection and patching for internet-exposed FLIR PT-Series cameras
  • Traffic is expected in plaintext (non-TLS); deploy detection at the network perimeter and internally for lateral movement scenarios
  • ·Affected firmware is specifically version 8.0.0.64 of FLIR Thermal Camera PT-Series; scope detection to this product/version to reduce false positives
  • ·The Snort/Suricata rule (SID 2066626) targets inbound HTTP to $HOME_NET; ensure $HOME_NET is correctly scoped to include FLIR camera management network segments

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.