CVE-2025-5126
published 2025-05-24CVE-2025-5126: A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.67%
90.6th percentile
A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 1.49.16 is able to resolve this issue. Upgrading the affected component is recommended. The vendor points out: "FLIR AX8 internal web site has been refactored to be able to handle the reported vulnerabilities."
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flir | flir_ax8_firmware | 1.46.0 – 1.46.16 | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
| teledyne_flir | ax8 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/settings/setDateTime/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR setDateTime Command Injection Attempt (CVE-2025-5126)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/settings/setDateTime/"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/YZS17/CVE/blob/main/FLIR-AX8/%24day%20parameter%20in%20the%20file%20settingsregional.php%20has%20a%20Remote%20Command%20Injection.md; reference:cve,2025-5126; classtype:attempted-admin; sid:2065888; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_24, cve CVE_2025_5126, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Look for HTTP POST requests to the exact URI '/settings/setDateTime/' (bsize:22) on FLIR AX8 devices. The URI length is fixed at 22 bytes, making it a precise fast-pattern match.
- →Detect command injection characters in POST body parameters (year/month/day/hour/minute): semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — both raw and URL-encoded forms should be inspected.
- →The exploit is public and the attack can be initiated remotely over plaintext HTTP (tls_state: plaintext). Prioritize perimeter and internal network monitoring for this signature.
- →Manipulation of the argument year/month/day/hour/minute in the setDataTime function leads to command injection. All date/time parameters should be treated as injection vectors. ↗
- ·The vulnerability is fixed in firmware version 1.49.16. Devices running 1.46.16 or earlier are affected. Verify firmware version before deploying detection rules to avoid false positives on patched devices. ↗
- ·The Snort/Suricata rule (sid:2065888) targets plaintext HTTP only. If the FLIR AX8 web interface is accessed over HTTPS or a non-standard port, the rule will not fire and additional coverage is needed.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS FLIR setDateTime Command Injection Attempt (CVE-2025-5126)
suricata·2025-11-24·CVSS 7.4
CVE-2025-5126 [HIGH] ET WEB_SPECIFIC_APPS FLIR setDateTime Command Injection Attempt (CVE-2025-5126)
ET WEB_SPECIFIC_APPS FLIR setDateTime Command Injection Attempt (CVE-2025-5126)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR setDateTime Command Injection Attempt (CVE-2025-5126)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/settings/setDateTime/"; fast_pattern; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/YZS17/CVE/blob/main/FLIR-AX8/%24day%20parameter%20in%20the%20file%20settingsregional.php%20has%20a%20Remote%20Command%20Injection.md; reference:cve,2025-5126; classtype:attempted-admin; sid:2065888; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_24, cve CVE_2025_5126, de
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24hour.mdhttps://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24minute.mdhttps://vuldb.com/?ctiid.310204https://vuldb.com/?id.310204https://vuldb.com/?submit.570725https://vuldb.com/?submit.572266https://vuldb.com/?submit.572275https://vuldb.com/?submit.572277https://github.com/YZS17/CVE/blob/main/Remote%20Command%20Injection%20in%20parameter%20%24minute.md
2025-05-24
Published