FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations.
References
| Link | Resource |
|---|---|
| https://www.exploit-db.com/exploits/45629 | Exploit Third Party Advisory VDB Entry |
| https://www.flir.com | Product |
| https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php | Exploit Third Party Advisory |
| https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php | Exploit Third Party Advisory |
Configurations
History
05 Jan 2026, 14:15
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
31 Dec 2025, 18:42
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.exploit-db.com/exploits/45629 - Exploit, Third Party Advisory, VDB Entry | |
| References | () https://www.flir.com - Product | |
| References | () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php - Exploit, Third Party Advisory | |
| CPE | cpe:2.3:o:flir:flir_ax8_firmware:1.32.16:*:*:*:*:*:*:* cpe:2.3:o:flir:flir_ax8_firmware:1.17.13:*:*:*:*:*:*:* cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:* |
|
| First Time |
Flir flir Ax8 Firmware
Flir flir Ax8 Flir |
24 Dec 2025, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php - |
24 Dec 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-24 20:15
Updated : 2026-01-05 14:15
NVD link : CVE-2018-25138
Mitre link : CVE-2018-25138
CVE.ORG link : CVE-2018-25138
JSON object : View
Products Affected
flir
- flir_ax8
- flir_ax8_firmware
CWE
CWE-798
Use of Hard-coded Credentials