CVE-2018-25138 CRITICAL

CVE-2018-25138: FLIR AX8 Thermal Camera 1.32.16 Hard-Coded Credentials Authentication Bypass

Vendor Flir Systems
Product FLIR AX8 Thermal Camera
Weakness CWE-798 · Hardcoded credentials
Published December 24, 2025
Last update January 5, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations.

Key dates

02Disclosure timeline

December 24, 2025 CVE published
January 5, 2026 Record updated