CVE-2017-20216 CRITICAL

CVE-2017-20216: FLIR Thermal Camera PT-Series firmware version 8.0.0.64 Unauthenticated Remote Command Injection

Vendor Flir Systems, Inc.

Product FLIR Thermal Camera PT-Series

Weakness CWE-78

Published January 7, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC).

Key dates

02Disclosure timeline

January 7, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2017-20216 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2017-20216

CWE CWE-78

CVSS 9.3 / CRITICAL

Affected versions