| Title | FLIR FLIR FB-Series O FLIR FB-Series O and ID Firmware, Version 1.3.2.16 Command Injection |
|---|
| Description | The built-in `sendCommand()` function in the production.html page is intended to call the backend `runcmd.sh` script to execute arbitrary commands, with a hardcoded backdoor password. Although this functionality is currently disabled due to server CGI configuration errors, it is essentially a "time bomb" waiting to be activated. |
|---|
| Source | ⚠️ https://github.com/waiwai24/0101/blob/main/CVEs/FLIR/Command_Injection_Vulnerability_in_Developer_Backdoor_Page.md |
|---|
| User | waiwai24 (UID 81637) |
|---|
| Submission | 07/04/2025 21:14 (12 months ago) |
|---|
| Moderation | 07/13/2025 09:47 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 316276 [Teledyne FLIR FB-Series O/FLIR FH-Series ID 1.3.2.16 runcmd.sh sendCommand cmd command injection] |
|---|
| Points | 19 |
|---|