Cyber Resilience

CVE-2022-37060

HighPublic PoC

Published: 18 August 2022

Published
18 August 2022
Modified
17 October 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3951 97.4th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-37060 is a high-severity Path Traversal (CWE-22) vulnerability in Flir Flir Ax8 Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

FLIR AX8 thermal sensor cameras up to and including firmware version 1.46.16 contain a directory traversal vulnerability (CWE-22) stemming from improper access restrictions. The flaw resides in the web interface and permits unauthenticated remote access to files outside the intended web root when specially crafted URIs are supplied.

An unauthenticated attacker reachable over the network can exploit the issue by submitting traversal sequences in HTTP requests, resulting in disclosure of arbitrary file contents on the device. The vulnerability carries a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and no required credentials or user interaction, affecting only confidentiality.

Vendor guidance states that firmware 1.49.16, released in January 2023, resolves the reported weakness; the current release as of October 2025 is 1.55.16. Public references include exploit code and technical details published on Packet Storm and a Zero Science advisory that predate the CVE assignment.

The associated EPSS score has remained at its peak value of 0.3951 since disclosure with no material upward movement.

EU & UK References

Vulnerability details

FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose…

more

the contents of files located outside of the server's restricted path. NOTE: The vendor has stated that with the introduction of firmware version 1.49.16 (Jan 2023) the FLIR AX8 should no longer be affected by the vulnerability reported. Latest firmware version (as of Oct 2025, was released Jun 2024) is 1.55.16.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

flir
flir ax8 firmware
≤ 1.46.16

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References