CVE-2018-25138 in AX8 Thermal Camera
Summary
by MITRE • 12/24/2025
FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/05/2026
The FLIR AX8 Thermal Camera running firmware version 1.32.16 presents a critical security vulnerability through the inclusion of hard-coded credentials that remain unchanged regardless of normal operational procedures. This vulnerability stems from improper implementation of authentication mechanisms within the device's firmware, where default administrative credentials are embedded directly into the system code rather than being generated dynamically or stored securely. The hard-coded nature of these credentials means they persist across device reboots, firmware updates, and any standard administrative operations that might otherwise reset or modify authentication parameters.
This technical flaw represents a significant weakness in the device's security architecture and aligns with CWE-798, which specifically addresses the use of hard-coded credentials in software systems. The vulnerability creates a persistent backdoor that allows unauthorized parties to establish shell access and gain administrative control over the thermal camera device. Attackers can leverage these predefined credentials to access both SSH services and the web-based management panel, effectively bypassing all normal authentication mechanisms that should protect the device from unauthorized access. The inability to modify these credentials through standard operational procedures indicates a fundamental flaw in the device's design that violates basic security principles of credential management and access control.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to execute arbitrary commands on the device, potentially leading to complete system compromise. Once an attacker gains shell access, they can modify device configurations, access stored thermal imaging data, disable security features, or even use the device as a pivot point for attacking other systems within the same network. The web panel access provides additional attack surface through potential cross-site scripting vulnerabilities or other web-based exploits that may be present in the camera's management interface. This vulnerability particularly affects organizations relying on FLIR AX8 cameras for security monitoring, as it creates a persistent threat vector that remains active regardless of network segmentation or other security measures.
Security mitigation strategies for this vulnerability require immediate action from affected organizations, including disabling unnecessary services where possible, implementing network segmentation to limit access to these devices, and establishing monitoring protocols for unauthorized access attempts. The most effective long-term solution involves firmware updates from FLIR that address the hard-coded credential issue through proper credential generation and secure storage mechanisms. Organizations should also implement network access controls using firewalls and intrusion detection systems to monitor for attempts to access the camera using default credentials. This vulnerability demonstrates the importance of following security best practices such as those outlined in the NIST Cybersecurity Framework, particularly in areas related to access control and system hardening. The ATT&CK framework categorizes this type of vulnerability under privilege escalation techniques, where adversaries exploit weak authentication mechanisms to gain elevated access to systems, making it a critical concern for cybersecurity teams managing industrial control systems and IoT devices.