CVE-2017-20216

CVE-2017-20216 is a set of multiple unauthenticated remote command injection vulnerabilities affecting FLIR Thermal Camera PT-Series firmware version 8.0.0.64. The flaws reside in the controllerFlirSystem.php script, where the execFlirSystem() function processes unsanitized POST parameters through shell_exec() calls, enabling attackers to execute arbitrary system commands as root. This OS command injection issue, classified under CWE-78, carries a critical CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers with network access to the affected device can exploit these vulnerabilities remotely without user interaction or privileges. Exploitation allows full root-level command execution, granting high-impact control over confidentiality, integrity, and availability, such as running malicious code, exfiltrating data, altering configurations, or disrupting device operations.

Advisories and detailed analyses, including proof-of-concept exploits, are available in references such as https://cxsecurity.com/issue/WLB-2017090203, https://packetstormsecurity.com/files/144321, an archived FLIR security blog post at https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043, https://www.exploit-db.com/exploits/42785/, and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.php. Security practitioners should review these for vendor-recommended patches, firmware updates, or temporary mitigations like network segmentation.

Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC), shortly before the CVE publication on 2026-01-08, confirming real-world activity against exposed PT-Series cameras.