threat
engine
.sh
Back
·
··:··
Home
/
Product
/
axis os
Product
axis os
61 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-12063
< 6.14.10768
An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropria
5.7
MEDIUM
CVE-2025-13064
< 6.14.10768
A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is ex
4.5
MEDIUM
CVE-2025-12757
< 6.14.10768
An AXIS Camera Station Pro feature can be exploited in a way that allows a non-admin user to view information they are not permitt
4.6
MEDIUM
CVE-2025-11547
< 6.13.55835
AXIS Camera Station Pro contained a flaw to perform a privilege escalation attack on the server as a non-admin user.
7.8
HIGH
CVE-2025-11142
>= 12.6.54 and < 12.7.36
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This fl
7.1
HIGH
CVE-2025-8108
>= 12.0.0 and < 12.7.33
An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalati
6.7
MEDIUM
CVE-2025-6779
>= 12.0.0 and < 12.6.40
An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalat
6.7
MEDIUM
CVE-2025-6298
< 12.6.28
ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This
6.7
MEDIUM
CVE-2025-5718
>= 12.0.0 and < 12.6.30
The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited
6.8
MEDIUM
CVE-2025-5454
>= 12.0.0 and < 12.6.18
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential priv
6.4
MEDIUM
CVE-2025-5452
>= 12.0.0 and < 12.6.69
A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, lead
6.6
MEDIUM
CVE-2025-4645
>= 12.0.0 and < 12.6.7
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability
6.7
MEDIUM
CVE-2025-3892
>= 12.0.0 and < 12.5.31
ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. This vulnerability can on
6.7
MEDIUM
CVE-2025-30027
>= 12.0.0 and < 12.5.36
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability
6.7
MEDIUM
CVE-2025-7622
>= 6.0.25729 and < 6.10.49500
During an internal security assessment, a Server-Side Request Forgery (SSRF) vulnerability that allowed an authenticated attacker
5.7
MEDIUM
CVE-2025-30026
>= 6.0.25729 and < 6.9.47069
The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required.
9.8
CRITICAL
CVE-2025-30025
< 6.8.43213
The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege
7.8
HIGH
CVE-2025-30023
< 6.9.47069
The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote
9.0
CRITICAL
CVE-2025-0358
>= 12.0.0 and < 12.4.0
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configu
8.8
HIGH
CVE-2025-0324
>= 12.0.0 and < 12.3.33
The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator p
9.4
CRITICAL
CVE-2025-1056
< 6.8.43213
Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is
6.1
MEDIUM
CVE-2025-0926
< 6.8.43213
Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for a non-admin user to remove sys
5.9
MEDIUM
CVE-2025-0361
>= 11.11.0 and < 12.3.56
During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Config
4.3
MEDIUM
CVE-2024-47261
>= 10.12.0 and < 12.3.56
51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient i
4.3
MEDIUM
CVE-2025-0360
>= 11.11.0 and < 12.2.41
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configu
7.8
HIGH
CVE-2025-0359
>= 11.11.0 and < 12.2.52
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application fra
8.5
HIGH
CVE-2024-47259
>= 11.11.0 and < 12.2.52
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient
3.5
LOW
CVE-2024-7696
< 6.5.35848
Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for an authenticated malicious cli
6.3
MEDIUM
CVE-2024-8160
>= 10.9.0 and < 12.1.21
Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input v
3.8
LOW
CVE-2024-0055
>= 10.12.0 and < 11.9.53
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerabl
6.5
MEDIUM
CVE-2023-5800
< 11.8.61
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input
5.4
MEDIUM
CVE-2023-5553
>= 10.8 and < 11.7.57
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (
7.6
HIGH
CVE-2023-21418
< 6.50.5.15
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversa
7.1
HIGH
CVE-2023-21417
< 11.7.57
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerable to pat
7.1
HIGH
CVE-2023-21416
< 11.7.57
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial
7.1
HIGH
CVE-2023-21415
>= 6.50.5.3 and < 6.50.5.14
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path travers
6.5
MEDIUM
CVE-2023-21414
>= 10.11.55 and < 10.12.206
NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications. The protection for device t
7.1
HIGH
CVE-2023-21413
>= 11.0.89 and < 11.6.94
GoSecure on behalf of Genetec Inc. has found a flaw that allows for a remote code execution during the installation of ACAP applic
9.1
CRITICAL
CVE-2023-21406
<= 1.65.4
Ariel Harush and Roy Hodir from OTORIO have found a flaw in the AXIS A1001 when communicating over OSDP. A heap-based buffer overf
7.1
HIGH
CVE-2023-21405
<= 10.12.178
Knud from Fraktal.fi has found a flaw in some Axis Network Door Controllers and Axis Network Intercoms when communicating over OSD
6.5
MEDIUM
CVE-2023-21404
>= 11.0.89 and < 11.4.52
AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is
5.3
MEDIUM
CVE-2021-31988
< 10.7
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage R
8.8
HIGH
CVE-2021-31987
< 10.8
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked net
7.5
HIGH
CVE-2021-31986
< 10.7
User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting
6.8
MEDIUM
CVE-2018-10664
< 1.65.1
An issue was discovered in the httpd process in multiple models of Axis IP Cameras. There is Memory Corruption.
7.5
HIGH
CVE-2018-10663
< 1.65.1
An issue was discovered in multiple models of Axis IP Cameras. There is an Incorrect Size Calculation.
7.5
HIGH
CVE-2018-10662
< 1.65.1
An issue was discovered in multiple models of Axis IP Cameras. There is an Exposed Insecure Interface.
9.8
CRITICAL
CVE-2018-10661
< 1.65.1
An issue was discovered in multiple models of Axis IP Cameras. There is a bypass of access control.
9.8
CRITICAL
CVE-2018-10660
< 1.65.1
An issue was discovered in multiple models of Axis IP Cameras. There is Shell Command Injection.
9.8
CRITICAL
CVE-2018-10659
< 1.65.1
There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which allows remote attackers to cause a deni
7.5
HIGH
CVE-2018-10658
< 1.65.1
There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which causes a denial of service (crash). The
7.5
HIGH
CVE-2007-5214
<= 2.02
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier allow remo
CVE-2007-5213
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware 2.43 and earlier all
CVE-2007-5212
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the AXIS 2100 Network Camera 2.02 with firmware before 2.43 allow remote at
CVE-2007-2239
<= 2.39
Stack-based buffer overflow in the SaveBMP method in the AXIS Camera Control (aka CamImage) ActiveX control before 2.40.0.0 in Axi
CVE-2004-2427
all versions
Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to obtain sensitive information v
CVE-2004-2426
all versions
Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attack
CVE-2004-2425
all versions
Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to execute arbitrary commands via
CVE-2004-0789
all versions
Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network produc
CVE-2003-0240
<= 2.32
The web-based administration capability for various Axis Network Camera products allows remote attackers to bypass access restrict
CVE-2001-1543
all versions
Axis network camera 2120, 2110, 2100, 200+ and 200 contains a default administration password "pass", which allows remote attacker
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin