Key Information Vulnerability Title: FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit Advisory ID: ZSL-2018-5491 Vulnerability Type: Local/Remote Impact: System Access, DoS Risk: 5/5 Release Date: 14.10.2018 Vulnerability Description Main Issue FLIR AX8 thermal sensor camera contains two unauthenticated command injection vulnerabilities. The issue occurs when calling the function in and files, passing multiple unfiltered HTTP GET/POST parameters. Relevant Code Snippets res.php palette.php Affected Versions Firmware Version: 1.32.16, 1.17.13 Operating System: neco_v1.8-0-g77fe5b3 Hardware: Flir Systems Neco Board Test Platform GNU/Linux 3.0.35-flir+gfd883a0 (armv7l) Lighttpd/1.4.33 PHP/5.4.14 POC flir_ax8_root.py Discoverer Gjoko Krstic - gjoko@zeroscience.mk