CVE-2023-51126
📋 TL;DR
This CVE describes a command injection vulnerability in FLIR AX8 thermal cameras that allows attackers to execute arbitrary commands on the device via the value parameter in the /usr/www/res.php endpoint. Attackers can achieve remote code execution with high privileges. All FLIR AX8 devices running firmware versions up to 1.46.16 are affected.
💻 Affected Systems
- FLIR AX8 Thermal Camera
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, disable security functions, or use the device as part of a botnet.
Likely Case
Remote code execution leading to device takeover, data exfiltration, or use in DDoS attacks.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting the isolated camera device.
🎯 Exploit Status
Public proof-of-concept code is available on GitHub, making exploitation straightforward for attackers with network access to vulnerable devices.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.49.16 and later (latest is 1.55.16 as of Jun 2024)
Vendor Advisory: Not provided in CVE details
Restart Required: Yes
Instructions:
1. Download latest firmware from FLIR support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply update. 5. Reboot device. 6. Verify firmware version.
🔧 Temporary Workarounds
Network Access Restriction
linuxBlock external access to FLIR AX8 web interface and restrict internal access to authorized IPs only.
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Endpoint Protection
allDeploy WAF rules to block command injection patterns targeting res.php endpoint.
🧯 If You Can't Patch
- Isolate FLIR AX8 devices on separate VLAN with strict firewall rules preventing outbound connections.
- Disable web interface access and use alternative management methods if available.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface at http://<device-ip>/system.html or via SSH if enabled: cat /etc/versionCheck Version:
curl -s http://<device-ip>/system.html | grep -i firmware || ssh admin@<device-ip> 'cat /etc/version'Verify Fix Applied:
Confirm firmware version is 1.49.16 or higher using same methods as vulnerability check.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /usr/www/res.php with shell metacharacters
- Unexpected command execution in system logs
- Multiple failed login attempts followed by res.php access
Network Indicators:
- HTTP requests to res.php containing pipe (|), semicolon (;), backticks (`), or dollar parentheses ($()) characters
- Outbound connections from camera to unusual destinations
SIEM Query:
source="web_logs" AND uri="/usr/www/res.php" AND (request CONTAINS "|" OR request CONTAINS ";" OR request CONTAINS "`" OR request CONTAINS "$(")