CVE-2017-20216

CVE Database · CVE-2017-20216

CVE-2017-20216

· CRITICALDeferred

CVSS v3.1

9.8

CVSS v4.0

9.3

EPSS

10.64%

Published

Jan 7, 2026

Modified

Apr 14, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78

References (6)

https://cxsecurity.com/issue/WLB-2017090203

https://packetstormsecurity.com/files/144321

https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043

https://www.exploit-db.com/exploits/42785/

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.php

KEV Catalog EPSS Scores Vendors All CVEs