Cyber Posture

CVE-2018-25138

CriticalPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
05 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username…

more

and password combinations.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires secure management of authenticators including generation of strong, unique, and changeable credentials, directly preventing the use of unmodifiable hard-coded SSH and web panel credentials.

AC-2 Account Management good match
prevent

AC-2 mandates identification, provisioning, and management of accounts with unique authenticators, enabling disablement or modification of accounts tied to hard-coded credentials.

CM-6 Configuration Settings partial match
prevent

CM-6 enforces secure configuration settings for system components, allowing verification and correction of default or hard-coded credentials during deployment and maintenance.

Security SummaryAI

CVE-2018-25138 is a critical vulnerability in the FLIR AX8 Thermal Camera version 1.32.16, involving hard-coded credentials for SSH access and the web panel that cannot be modified through normal camera operations. These persistent, predefined username and password combinations enable unauthorized access, classified under CWE-798 (Use of Hard-coded Credentials). The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential impact across confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability without privileges, authentication, or user interaction by simply using the exposed credentials to gain shell access via SSH or log into multiple camera interfaces. Successful exploitation grants full unauthorized control over the affected device, allowing attackers to execute arbitrary commands, manipulate camera functions, or pivot to other network assets.

Advisories and additional details are available from Zero Science Labs (ZSL-2018-5494 at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5494.php), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/45629), and the vendor site (https://www.flir.com), which may provide mitigation or patch guidance.

Details

CWE(s)
CWE-798

Affected Products

flir
flir ax8 firmware
1.17.13, 1.32.16

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
attack.mitre.org →
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
attack.mitre.org →
Why these techniques?

Hard-coded credentials enable use of default accounts (T1078.001) for initial access via SSH (T1021.004) and external remote services like web panel (T1133).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References