CVE-2022-37061 Scanner

CVE-2022-37061 Scanner - Remote Command Injection vulnerability in FLIR AX8

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

1 week 10 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

FLIR AX8 is an automated thermal imaging sensor widely used in industrial and commercial environments for temperature monitoring and predictive maintenance. It integrates thermal and visual cameras, providing real-time analytics to detect anomalies and alert users. The device’s alarm functionality is critical for notifying operators of temperature threshold breaches or other conditions requiring attention. FLIR AX8 is deployed in settings such as manufacturing plants, power generation facilities, and building management systems. The device runs embedded software that controls sensor operation and alerting mechanisms. Regular firmware updates are released to enhance security and functionality.

This vulnerability involves a remote command injection flaw in the alarm feature of FLIR AX8 devices running firmware version 1.46.16 or earlier. The vulnerability arises because user input supplied in the 'id' parameter is not properly sanitized before being used in operating system commands. This lack of input validation allows unauthenticated attackers to inject arbitrary OS commands remotely. Successful exploitation can lead to unauthorized execution of commands with the privileges of the application, severely compromising the device and its environment.

Technically, the exploit sends a POST request to the /res.php endpoint with an action parameter set to alarm and the id parameter containing malicious command sequences, such as appending a secondary command using a semicolon. The scanner verifies the vulnerability by detecting typical OS command output patterns in the response body, such as user and group identifiers (uid, gid) and specific keywords like visualBeep. A 200 HTTP status confirms the request was processed successfully. This behavior confirms that injected commands are executed on the device.

Exploitation can result in complete device compromise, allowing attackers to manipulate sensor data, disable alarms, or pivot to other systems on the network. The integrity and availability of monitoring functions are at risk, potentially leading to undetected faults or hazards. Confidential information stored or transmitted by the device may also be exposed. Due to the critical severity, immediate firmware upgrades and input sanitization improvements are strongly recommended to prevent exploitation.

REFERENCES

Get started to protecting your digital assets