cbcvebase.
CVE-2023-51126
published 2024-01-10

CVE-2023-51126: Command injection vulnerability in /usr/www/res.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter. NOTE: The…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
31.10%
98.0th percentile
Command injection vulnerability in /usr/www/res.php in FLIR AX8 up to 1.46.16 allows attackers to run arbitrary commands via the value parameter. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.

Affected

1 ranges
VendorProductVersion rangeFixed in
flirflir_ax8_firmware<= 1.46.16

Detection & IOCsextracted from sources · hover to see the quote

path/usr/www/res.php
url/res.php
  • Exploit traffic is HTTP POST only, targeting the exact 8-byte URI /res.php; filter on HTTP method POST + URI bsize:8 to reduce false positives.
  • Injection payload is carried in the POST body in the 'value' parameter; look for shell metacharacters (;, newline \x0a, backtick \x60, pipe |, dollar $) immediately following 'value=' and not preceded by an ampersand.
  • Traffic is expected in plaintext (no TLS); deploy detection at the network perimeter and internally.
  • PoC/exploit reference available at github.com/risuxx/CVE-2023-51126; monitor for scanning/exploitation attempts originating from hosts that have recently fetched this repository.
  • ·Only FLIR AX8 devices running firmware 1.46.16 and earlier are vulnerable; firmware 1.49.16 (Jan 2023) and later are patched. Prioritise detection on unpatched devices.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.