36 matches found
CVE-2025-0360
CVE-2025-0360 affects Axis VAPIX Device Configuration framework; flaw could yield an incorrect privilege level for the VAPIX service account D-Bus API. Reported during a penetration test, the CVSSv3.1 vector indicates Local attacker, Low privileges required, No user interaction, with Confidential...
CVE-2024-47261
The CVE-2024-47261 entry describes a vulnerability in Axis OS devices where the VAPIX API endpoint uploadoverlayimage.cgi lacks sufficient input validation. This allows an attacker to upload files that can block access to create image overlays in the device’s web interface. Affected product scope...
CVE-2024-8160
Summary (CVE-2024-8160) : The vulnerability affects Axis OS (AXIS OS) versions prior to the patched release. The flaw resides in the VAPIX API’s ftptest.cgi due to insufficient input validation, enabling a possible command injection that could allow transferring files to/from the Axis device. Exp...
CVE-2024-0055
The CVE-2024-0055 entry concerns AXIS OS where the VAPIX endpoints mediaclip.cgi and playclip.cgi are vulnerable to file globbing, enabling a resource-exhaustion (DoS) condition. Affected software is AXIS OS; the issue is fixed in patched AXIS OS versions as per Axis advisory. Connected sources c...
CVE-2024-47259
CVE-2024-47259 affects Axis OS: VAPIX API endpoint dynamicoverlay.cgi with insufficient input validation that enables command injection, enabling potential file transfers to the Axis device and resource exhaustion. Axis has released patched AXIS OS versions; refer to Axis security advisory for de...
CVE-2025-0361
CVE-2025-0361 describes a vulnerability in Axis Communications’ VAPIX Device Configuration framework where unauthenticated username enumeration is possible via the VAPIX Device Configuration SSH Management API. Affected component is the VAPIX Device Configuration framework (Axis OS context cited ...
CVE-2021-31986
CVE-2021-31986 affects Axis OS; root cause is improper validation of user-controlled SMTP notification parameters, leading to a heap-based buffer overflow with potential crashes and data leakage. In Axis OS, affected tracks/versions include AXIS OS Active track 10.7 and 10.8, AXIS OS 2016 LTS tra...
CVE-2023-5800
CVE-2023-5800 concerns Axis OS: the VAPIX API create_overlay.cgi lacks sufficient input validation, enabling remote code execution. Exploitation requires an operator/admin-privileged service account and network access, with impact on confidentiality, integrity, and availability listed as high. Ax...
CVE-2023-21405
CVE-2023-21405 affects Axis Network Door Controllers and Axis Network Intercoms via OSDP; the vulnerability is a crash in the OSDP message parser that crashes the pacsiod process, causing temporary unavailability of door-controlling functionality (doors cannot be opened or closed). The issue is d...
CVE-2021-31987
CVE-2021-31987 affects Axis OS (embedded OS used in Axis devices). A user-controlled parameter in the SMTP test functionality is not properly validated, enabling bypass of blocked network recipients. Public disclosures describe this alongside related issues (CVE-2021-31986, CVE-2021-31988) in Axi...
CVE-2025-0359
CVE-2025-0359 concerns Axis OS/ACAP: a flaw in the ACAP Application framework allowed applications to access restricted D-Bus methods. The issue stems from insufficient access control in the framework, exposing sensitive IPC interfaces. Axis has released patched AXIS OS versions; refer to Axis se...
CVE-2021-31988
CVE-2021-31988 affects Axis OS SMTP test functionality and involves injecting CRLF and arbitrary SMTP headers due to insufficient validation of a user-controlled parameter. The root cause, as described in multiple sources, is lack of proper input validation in the SMTP test flow, enabling SMTP he...
CVE-2025-0324
AXIS OS (Axis Communications) vulnerability CVE-2025-0324 affects AXIS OS versions 11.8 through 12.2, via the VAPIX Device Configuration framework, causing privilege escalation from a lower-privileged user to administrator. Root cause described as an elevation of privilege issue. Public details a...
CVE-2023-21404
CVE-2023-21404 affects AXIS OS 11.0.X–11.3.x, where a static RSA key is embedded in legacy LUA components to protect Axis-specific source code. The documents state this key is not used in other secure communications and cannot be used to compromise the device or customer data. No exploitation det...
CVE-2023-21418
AXIS OS vulnerability CVE-2023-21418 affects the VAPIX API irissetup.cgi, where path traversal could delete files. Exploitation requires authentication with an operator- or administrator-privileged service account, with impact higher on administrator privileges and lower on operator accounts (non...
CVE-2023-21414
CVE-2023-21414 affects Axis OS Secure Boot (device tamper protection). A flaw in the tamper protection mechanism can allow a sophisticated attacker to bypass Secure Boot. Axis has released patched AXIS OS versions and directs to the Axis security advisory for details and remediation. Connected so...
CVE-2023-21417
CVE-2023-21417 affects AXIS OS via the VAPIX API endpoint manageoverlayimage.cgi, where path traversal can lead to file/folder deletion. Exploitation requires an operator- or administrator-privileged service account, with impact higher on administrator privileges and non-system files; operator ac...
CVE-2023-21416
Axis OS devices are affected by CVE-2023-21416 due to a vulnerability in the VAPIX API endpoint dynamically overlay CGI (dynamicoverlay.cgi). The flaw enables a Denial-of-Service that can block access to the overlay configuration page in the web interface. Exploitation requires an operator- or ad...
CVE-2023-21413
The CVE-2023-21413 vulnerability affects Axis OS on Axis devices, where the ACAP application installation process is vulnerable to command injection in the application handling service. This enables remote code execution (RCE) if an attacker can leverage the installation flow. Public risk scores ...
CVE-2025-0358
CVE-2025-0358 concerns Axis Communications’ VAPIX Device Configuration framework. Multiple connected sources indicate a privilege-escalation flaw where a lower-privileged user can gain administrator privileges. CNNVD specifies Axis OS versions 12.0–12.3 with the issue arising from improper privil...
CVE-2023-5553
CVE-2023-5553 affects Axis OS Secure Boot protection. The AXIS OS tampering-protection bypass is the underlying issue, enabling a sophisticated attack to bypass the device’s tamper protection. Public detail indicates affected AXIS OS ranges include versions 10.8–11.6 (per external summaries), wit...
CVE-2023-21415
CVE-2023-21415 concerns AXIS OS: the VAPIX API endpoint overlay_del.cgi is vulnerable to a path traversal that allows deleting arbitrary files. Exploitation requires authentication with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions to address...
CVE-2026-0802
Technical details are not publicly available in the provided documents for CVE-2026-0802. Monitor for updates from Axis and security advisories; no product/version/impact specifics are disclosed here.
CVE-2025-3892
CVE-2025-3892 concerns Axis devices running ACAP; the issue allows elevated privileges when an Axis device is configured to allow unsigned ACAP applications and a malicious ACAP app is installed after user trickery. The CVSS details indicate LOCAL exploitation with HIGH privileges required, high ...
CVE-2025-30027
CVE-2025-30027 affects Axis devices via insufficient input validation in ACAP configuration files, enabling arbitrary code execution. Exploitation requires the device to allow unsigned ACAP apps and a user to install a malicious ACAP application. Impact: high on confidentiality, integrity, and av...
CVE-2025-5454
Axis ACAP path-traversal vulnerability (CVE-2025-5454) affects Axis OS/ACAP configuration handling on Axis devices. The issue arises from insufficient input validation in ACAP configuration files, enabling potential local path traversal andPrivilege escalation when an Axis device is configured to...
CVE-2025-5718
The CVE-2025-5718 issue concerns the Axis ACAP Application framework on Axis OS devices. It describes a privilege-escalation vulnerability via a symbolic-link (symlink) attack, exploitable only if the device is configured to allow unsigned ACAP applications and an attacker persuades a user to ins...
CVE-2025-6779
CVE-2025-6779 affects Axis devices running Axis OS where an ACAP configuration file has improper permissions. The underlying issue could permit command injection and privilege escalation, but exploitation is contingent on the device being configured to allow unsigned ACAP applications and an atta...
CVE-2026-0541
CVE-2026-0541 concerns Axis devices where ACAP applications can gain elevated privileges due to improper input validation during the installation process. The root cause is input validation issues when installing ACAP apps, and exploitation is possible only if the device is configured to allow un...
CVE-2026-0804
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-1185
CVE-2026-1185 concerns an issue in Axis devices where a local file system configuration file is not properly validating input, enabling code execution and potential privilege escalation. The vulnerability requires an attacker to log in to the device via SSH, limiting exposure to authenticated acc...
CVE-2025-5452
Axis devices running ACAP with unsigned app installation enabled are reported to be vulnerable to a malicious ACAP application that can obtain admin-level service account credentials used by legitimate ACAP apps, potentially enabling privilege escalation. Exploitation requires convincing a user t...
CVE-2025-6298
CVE-2025-6298 affects Axis devices running ACAP, where improper input validation during ACAP installation can allow elevation of privileges. The issue only applies if the device is configured to permit unsigned ACAP applications and a user installs a malicious ACAP package. The CVSS 3.1 base metr...
CVE-2025-4645
CVE-2025-4645 affects Axis OS/Axis ACAP handling: an ACAP configuration file with insufficient input validation can lead to arbitrary code execution if an Axis device is configured to allow unsigned ACAP apps and a victim is persuaded to install a malicious ACAP package. The vulnerability is atta...
CVE-2025-8108
CVE-2025-8108 involves Axis ACAP on Axis OS devices. The root cause is an ACAP configuration file with improper permissions and missing input validation, which could enable privilege escalation when the device is configured to allow unsigned ACAP applications and a user is convinced to install a ...
CVE-2025-11142
The CVE-2025-11142 vulnerability affects the VAPIX API mediaclip.cgi and arises from insufficient input validation, enabling potential remote code execution. Exploitation requires authentication with an operator- or administrator-privileged service account, and the impact is rated high (CVSSv3.1:...