Command Injection Vulnerability in Teledyne FLIR FB-Series O and FH-Series ID
CVE-2025-7578

2.3LOW

Key Information:

Vendor

Teledyne

Status
Flir Fb-series O
Flir Fh-series Id
Vendor
CVE Published:
14 July 2025

What is CVE-2025-7578?

A command injection vulnerability exists in Teledyne FLIR's FB-Series O and FH-Series ID products due to improper handling of the command argument in the sendCommand function within runcmd.sh. This flaw allows remote attackers to execute arbitrary commands, leveraging this function as an attack vector. Although currently mitigated by server CGI configuration issues, the vulnerability remains a significant threat, likened to a 'time bomb' that could be exploited if the misconfiguration is addressed. Attempts to notify the vendor of this vulnerability received no response.

Affected Version(s)

FLIR FB-Series O 1.3.2.16

FLIR FH-Series ID 1.3.2.16

References

https://vuldb.com/?id.316276
vdb-entrytechnical-description
https://vuldb.com/?ctiid.316276
signaturepermissions-required
https://vuldb.com/?submit.609551
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

waiwai24 (VulDB User)
.
CVE-2025-7578 : Command Injection Vulnerability in Teledyne FLIR FB-Series O and FH-Series ID