CVE-2018-25141 in Thermal Traffic Cameras
Summary
by MITRE • 12/24/2025
FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/25/2025
The FLIR thermal traffic camera vulnerability identified as CVE-2018-25141 represents a critical security flaw in embedded video surveillance systems that directly impacts the confidentiality and integrity of video data. This vulnerability stems from inadequate authentication mechanisms within the camera's web interface, allowing unauthenticated remote access to sensitive video streams. The flaw specifically affects FLIR thermal traffic cameras that implement web-based streaming protocols, creating a pathway for malicious actors to bypass normal access controls and obtain real-time video feeds from potentially sensitive locations such as traffic intersections, parking areas, or public spaces.
The technical implementation of this vulnerability involves the exposure of multiple streaming endpoints that operate without proper authentication checks. Attackers can directly access specific URL patterns including /live.mjpeg for continuous jpeg streaming, /snapshot.jpg for single image captures, and RTSP streaming URLs that provide real-time video transmission protocols. These endpoints are designed to deliver video content but fail to implement any form of user authentication or access control validation. The vulnerability manifests as a failure in the web server component to verify client credentials before serving video content, effectively creating a backdoor that allows any remote attacker to obtain live video feeds simply by knowing the appropriate endpoint URLs.
From an operational perspective, this vulnerability creates significant risks for organizations deploying FLIR thermal cameras in public or sensitive environments. The ability to access live video streams without credentials means that unauthorized individuals can monitor real-time activities at locations where such surveillance is deployed, potentially compromising privacy of individuals and exposing operational details that could be exploited for malicious purposes. The impact extends beyond simple privacy concerns as these cameras are often used in traffic management, security monitoring, and industrial applications where unauthorized access to video feeds could enable surveillance of critical infrastructure or provide insights into operational procedures that might be used for targeted attacks.
The vulnerability aligns with CWE-287 which addresses improper authentication issues in software systems, specifically highlighting the failure to properly verify user credentials before granting access to protected resources. From an adversary perspective, this vulnerability maps to several ATT&CK techniques including T1046 for network service scanning and T1071 for application layer protocol usage, as attackers would need to identify the specific endpoints and then access them to obtain video streams. The attack surface is particularly concerning because the vulnerability affects the camera's web interface directly, meaning that attackers do not need to exploit additional vulnerabilities to gain access to video feeds, making this a high-severity issue that can be exploited with minimal technical expertise.
Organizations should implement immediate mitigations including network segmentation to isolate camera systems from general network access, deployment of network access controls to restrict access to specific IP addresses or ranges, and implementation of additional authentication layers where possible. The most effective long-term solution involves firmware updates from FLIR that properly implement authentication mechanisms for all streaming endpoints, ensuring that only authorized users can access video feeds. Additionally, organizations should consider implementing network monitoring to detect unusual access patterns to streaming endpoints and establish protocols for regular security assessments of embedded surveillance systems to identify similar vulnerabilities before they can be exploited by malicious actors.