Axis Axis

  1. Vendors
  2. Axis

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Axis product.

RSS Feeds for Axis security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Axis products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Axis Sorted by Most Security Vulnerabilities since 2018

Axis Os20 vulnerabilities

Axis Os 20207 vulnerabilities

Axis Os 20226 vulnerabilities

Axis License Plate Verifier6 vulnerabilities

Axis Os 20185 vulnerabilities

Axis Os 20164 vulnerabilities

Axis 207w Firmware1 vulnerability

Axis A1001 Firmware1 vulnerability

Axis Device Manager1 vulnerability

Axis Ip Utility1 vulnerability

Axis M1033 W Firmware1 vulnerability

Axis P1354 Firmware1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Axis. Last year, in 2025 Axis had 2 security vulnerabilities published. Right now, Axis is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 2 0.00
2024 8 8.80
2023 15 7.85
2022 1 7.80
2021 4 7.10
2020 0 0.00
2019 0 0.00
2018 2 7.50

It may take a day or so for new Axis vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Axis Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-47259 Mar 04, 2025
Axis OS VAPIX API dynamicOverlay CGI Command Injection Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-47262 Mar 04, 2025
Axis VAPIX param.cgi Race Condition Enables Web UI DoS Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not affected. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-8160 Nov 26, 2024
Axis OS VAPIX ftptest.cgi Command Injection via unsanitized input Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-47257 Nov 26, 2024
Axis AXIS OS Ethernet Frame Crash Vulnerability Florent Thiéry has found that selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network. Axis has released patched AXIS OS versions for the highlighted flaw for products that are still under AXIS OS software support. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-6979 Sep 10, 2024
Axis OS Broken Access Control: Operator Exploits Privilege Escalation Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-0067 Sep 10, 2024
Axis OS VAPIX Path Traversal via ledlimit.cgi (CVE-2024-0067) Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-6509 Sep 10, 2024
Axis OS VAPIX alwaysmulti.cgi File Globbing Exhaustion Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-0066 Jun 18, 2024
Axis OS O3C Feature Exposes Sensitive Traffic Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2024-0054 Mar 19, 2024
Axis OS VAPIX CGI Resource Exhaustion via File Globbing Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2023-5800 Feb 05, 2024
Axis OS VAPIX create_overlay.cgi RCE via insufficient input validation Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
Axis Os 2022
Axis Os 2020
And others...
CVE-2023-21416 Nov 21, 2023
Axis VAPIX API DoS via dynamicoverlay.cgi after Auth Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
Axis Os 2022
CVE-2023-5553 Nov 21, 2023
Axis OS Secure Boot Bypass via Device Tampering (CVE-2023-5553) During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os 2022
Axis Os
CVE-2023-21417 Nov 21, 2023
Axis VAPIX manageoverlayimage.cgi Path Traversal Enables Deletion Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
Axis Os 2022
Axis Os 2020
And others...
CVE-2023-21418 Nov 21, 2023
AXIS OS VAPIX irissetup.cgi Path Traversal Deletion Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os 2018
Axis Os
Axis Os 2022
And others...
CVE-2023-21415 Oct 16, 2023
AXIS OS VAPIX overlay_del.cgi Path Traversal File Deletion Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os 2022
Axis Os 2018
Axis Os 2020
And others...
CVE-2023-21413 Oct 16, 2023
Axis OS ACAP App Install Remote Code Execution via Command Injection GoSecure on behalf of Genetec Inc. has found a flaw that allows for a remote code execution during the installation of ACAP applications on the Axis device. The application handling service in AXIS OS was vulnerable to command injection allowing an attacker to run arbitrary code. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Axis Os
CVE-2023-21409 Aug 03, 2023
Unprivileged Users Access Admin Credentials via Low File Permissions Due to insufficient file permissions, unprivileged users could gain access to unencrypted administrator credentials allowing the configuration of the application.
License Plate Verifier
CVE-2023-21412 Aug 03, 2023
Axis License Plate Verifier search.cgi SQL Injection via Unsanitized Input User provided input is not sanitized on the AXIS License Plate Verifier specific search.cgi allowing for SQL injections.
License Plate Verifier
CVE-2023-21411 Aug 03, 2023
Unvalidated Input in Access Control Enables Code Execution (CVE-2023-21411) User provided input is not sanitized in the Settings > Access Control configuration interface allowing for arbitrary code execution.
License Plate Verifier
CVE-2023-21410 Aug 03, 2023
AXIS License Plate Verifier: API CGI Unsanitized Input Allows Arbitrary Exec User provided input is not sanitized on the AXIS License Plate Verifier specific api.cgi allowing for arbitrary code execution.
License Plate Verifier
CVE-2023-21408 Aug 03, 2023
Insufficient Permissions Expose Unencrypted Credentials in Integration API Due to insufficient file permissions, unprivileged users could gain access to unencrypted user credentials that are used in the integration interface towards 3rd party systems.
License Plate Verifier
CVE-2023-21407 Aug 03, 2023
Privilege Escalation via Broken Access Control in Operator Account A broken access control was found allowing for privileged escalation of the operator account to gain administrator privileges.
License Plate Verifier
CVE-2023-21406 Jul 25, 2023
AXIS A1001 OSDP Heap Buffer Overflow Ariel Harush and Roy Hodir from OTORIO have found a flaw in the AXIS A1001 when communicating over OSDP. A heap-based buffer overflow was found in the pacsiod process which is handling the OSDP communication allowing to write outside of the allocated buffer. By appending invalid data to an OSDP message it was possible to write data beyond the heap allocated buffer. The data written outside the buffer could be used to execute arbitrary code.  lease refer to the Axis security advisory for more information, mitigation and affected products and software versions.
A1001 Firmware
CVE-2023-21404 May 08, 2023
CVE-2023-21404: Static RSA Key in Axis OS 11.0.x11.3.x Legacy LUA AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to compromise the device or any customer data.
Axis Os
CVE-2023-22984 Feb 21, 2023
Vulnerable Axis 207W Camera: Reflected XSS in Admin Portal (CVE-2023-22984) A Vulnerability was discovered in Axis 207W network camera. There is a reflected XSS vulnerability in the web administration portal, which allows an attacker to execute arbitrary JavaScript via URL.
207w Firmware
CVE-2022-23410 Feb 14, 2022
AXIS IP Utility before 4.18.0 allows for remote code execution and local privilege escalation by the means of DLL hijacking AXIS IP Utility before 4.18.0 allows for remote code execution and local privilege escalation by the means of DLL hijacking. IPUtility.exe would attempt to load DLLs from its current working directory which could allow for remote code execution if a compromised DLL would be placed in the same folder.
Ip Utility
CVE-2021-31987 Oct 05, 2021
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients. A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.
Axis Os
Axis Os 2016
Axis Os 2018
And others...
CVE-2021-31988 Oct 05, 2021
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email. A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.
Axis Os
Axis Os 2016
Axis Os 2018
And others...
CVE-2021-31986 Oct 05, 2021
User controlled parameters related to SMTP notifications are not correctly validated User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage.
Axis Os
Axis Os 2016
Axis Os 2018
And others...
CVE-2021-31989 Aug 25, 2021
A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump from the built-in Windows Task Manager application. The memory dump may potentially contain credentials of connected Axis devices.
Device Manager
CVE-2018-9157 Apr 01, 2018
An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality
M1033 W Firmware
CVE-2018-9156 Apr 01, 2018
An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality
P1354 Firmware
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.