CVE-2022-37060

moderate-risk
Published 2022-08-18

FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server's restricted path. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.

Do I need to act?

!
39.5% chance of exploitation in next 30 days
EPSS score — higher than 60% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Flir

References (8)

Exploit http://packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Co...
Exploit https://gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899
Product https://www.flir.com/products/ax8-automation/
Third Party Advisory https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5493.php
Exploit http://packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Co...
Exploit https://gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899
Product https://www.flir.com/products/ax8-automation/
Third Party Advisory https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5493.php
48
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 17/34 · Moderate
Exposure 5/34 · Minimal