AXIS OS

CVEs (12)

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2024-47257	Axis AXIS OS	Hig	0.49	7.5	Nov 26, 2024	Florent Thiéry has found that selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network. Axis has released patched AXIS OS versions for the highlighted flaw for products that are still under AXIS OS software support. Please refer to the Axis security advisory for more information and solution.
CVE-2024-47260	Axis AXIS OS	Med	0.42	6.5	Mar 4, 2025	51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-6173	Axis AXIS OS	Med	0.42	6.5	Sep 10, 2024	51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-7784	Axis AXIS OS	Med	0.40	6.1	Sep 10, 2024	During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-47262	Axis AXIS OS	Med	0.34	5.3	Mar 4, 2025	Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not affected. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-0066	Axis AXIS OS	Med	0.34	5.3	Jun 18, 2024	Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-8772	Axis AXIS OS	Med	0.28	4.3	Nov 26, 2024	51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API managedoverlayimages.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-0067	Axis AXIS OS	Med	0.28	4.3	Sep 10, 2024	Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-47261	Axis AXIS OS		0.00	—	Apr 8, 2025	51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.
CVE-2024-47259	Axis AXIS OS		0.00	—	Mar 4, 2025	Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-8160	Axis AXIS OS		0.00	—	Nov 26, 2024	Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-6979	Axis AXIS OS		0.00	—	Sep 10, 2024	Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

CVE-2024-47257HigNov 26, 2024
Axis
AXIS OS
risk 0.49cvss 7.5epss 0.00
Florent Thiéry has found that selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network. Axis has released patched AXIS OS versions for the highlighted flaw for products that are still under AXIS OS software support. Please refer to the Axis security advisory for more information and solution.
CVE-2024-47260MedMar 4, 2025
Axis
AXIS OS
risk 0.42cvss 6.5epss 0.00
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-6173MedSep 10, 2024
Axis
AXIS OS
risk 0.42cvss 6.5epss 0.00
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-7784MedSep 10, 2024
Axis
AXIS OS
risk 0.40cvss 6.1epss 0.00
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-47262MedMar 4, 2025
Axis
AXIS OS
risk 0.34cvss 5.3epss 0.00
Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not affected. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-0066MedJun 18, 2024
Axis
AXIS OS
risk 0.34cvss 5.3epss 0.00
Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-8772MedNov 26, 2024
Axis
AXIS OS
risk 0.28cvss 4.3epss 0.00
51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API managedoverlayimages.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-0067MedSep 10, 2024
Axis
AXIS OS
risk 0.28cvss 4.3epss 0.00
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-47261Apr 8, 2025
Axis
AXIS OS
risk 0.00cvss —epss 0.00
51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.
CVE-2024-47259Mar 4, 2025
Axis
AXIS OS
risk 0.00cvss —epss 0.00
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-8160Nov 26, 2024
Axis
AXIS OS
risk 0.00cvss —epss 0.00
Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
CVE-2024-6979Sep 10, 2024
Axis
AXIS OS
risk 0.00cvss —epss 0.00
Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.