CVE-2017-20212

Vulnerability

Overview

CVE-2017-20212 is an information disclosure vulnerability in FLIR Thermal Camera models running firmware version 8.0.0.64, affecting F, FC, PT, and D series devices. The flaw resides in the /var/www/data/controllers/api/xml.php file, where the readFile() private function accepts user-supplied input passed through several parameters without proper validation [2][3]. The function simply checks if the parameter is non-empty and the file exists before reading its contents via file_get_contents() and returning it in the response [2][3].

Exploitation

An unauthenticated attacker can exploit this by sending crafted HTTP requests to the camera's API endpoint that invokes the readFile() method. No authentication or prior access is required because the vulnerable endpoint is exposed without access control [1][2]. The attacker can supply arbitrary file paths, including path traversal sequences, to read any readable file on the local filesystem of the camera device [2][3].

Impact

Successful exploitation allows reading sensitive local files such as configuration files, credentials, cryptographic keys, or other system data stored on the camera's filesystem [1][2]. This information could be used to further compromise the device or the network it resides on. The vulnerability is classified with a CVSS v3 severity of Medium (6.2) due to its low attack complexity and confidentiality impact.

Mitigation

FLIR acknowledged the report from an independent security researcher and released Security Patch v1.1 for the affected product families on October 9, 2017 [4]. The patch is available by contacting FLIR thermal support; device owners should apply the update immediately. As a workaround, FLIR recommends placing cameras on secured, isolated networks to reduce exposure until patching is complete [4].