CVE-2022-37060
HIGHFLIR AX8 Firmware <= 1.46.16 - Unauthenticated Directory Traversal
Title source: llmDescription
FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server's restricted path. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.
References (4)
Core 4
Core References
Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/168116/FLIR-AX8-1.46.16-Traversal-Access-Control-Command-Injection-XSS.html
Exploit, Mitigation, Third Party Advisory
https://gist.github.com/Nwqda/9e16852ab7827dc62b8e44d6180a6899
Product, Vendor Advisory
https://www.flir.com/products/ax8-automation/
Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5493.php
Scores
CVSS v3
7.5
EPSS
0.1520
EPSS Percentile
96.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (1)
flir/flir_ax8_firmware
< 1.46.16
Published
Aug 18, 2022
Tracked Since
Feb 18, 2026