Axis Os

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Axis Os.

By the Year

In 2026 there have been 0 vulnerabilities in Axis Os. Last year, in 2025 Axis Os had 2 security vulnerabilities published. Right now, Axis Os is on track to have less security vulnerabilities in 2026 than it did last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	2	0.00
2024	8	8.80
2023	7	6.87
2022	0	0.00
2021	3	7.70

It may take a day or so for new Axis Os vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Axis Os Security Vulnerabilities

Axis OS VAPIX API dynamicOverlay CGI Command Injection
CVE-2024-47259 - March 04, 2025

Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis VAPIX param.cgi Race Condition Enables Web UI DoS
CVE-2024-47262 - March 04, 2025

Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not affected. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis OS VAPIX ftptest.cgi Command Injection via unsanitized input
CVE-2024-8160 - November 26, 2024

Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device. This flaw can only be exploited after authenticating with an administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis AXIS OS Ethernet Frame Crash Vulnerability
CVE-2024-47257 - November 26, 2024

Florent Thiéry has found that selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network. Axis has released patched AXIS OS versions for the highlighted flaw for products that are still under AXIS OS software support. Please refer to the Axis security advisory for more information and solution.

Axis OS Broken Access Control: Operator Exploits Privilege Escalation
CVE-2024-6979 - September 10, 2024

Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a broken access control which would lead to less-privileged operator- and/or viewer accounts having more privileges than designed. The risk of exploitation is very low as it requires complex steps to execute, including knowing of account passwords and social engineering attacks in tricking the administrator to perform specific configurations on operator- and/or viewer-privileged accounts. Axis has released patched AXIS OS a version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis OS VAPIX Path Traversal via ledlimit.cgi (CVE-2024-0067)
CVE-2024-0067 - September 10, 2024

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis OS VAPIX alwaysmulti.cgi File Globbing Exhaustion
CVE-2024-6509 - September 10, 2024

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis OS O3C Feature Exposes Sensitive Traffic
CVE-2024-0066 - June 18, 2024

Johan Fagerström, member of the AXIS OS Bug Bounty Program, has found that a O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis OS VAPIX CGI Resource Exhaustion via File Globbing
CVE-2024-0054 - March 19, 2024

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis OS VAPIX create_overlay.cgi RCE via insufficient input validation
CVE-2023-5800 8.8 - High - February 05, 2024

Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Code Injection

Axis OS Secure Boot Bypass via Device Tampering (CVE-2023-5553)
CVE-2023-5553 6.8 - Medium - November 21, 2023

During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis VAPIX API DoS via dynamicoverlay.cgi after Auth
CVE-2023-21416 6.5 - Medium - November 21, 2023

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Axis VAPIX manageoverlayimage.cgi Path Traversal Enables Deletion
CVE-2023-21417 7.1 - High - November 21, 2023

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Directory traversal

AXIS OS VAPIX irissetup.cgi Path Traversal Deletion
CVE-2023-21418 7.1 - High - November 21, 2023

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Directory traversal

Axis OS ACAP App Install Remote Code Execution via Command Injection
CVE-2023-21413 7.2 - High - October 16, 2023

GoSecure on behalf of Genetec Inc. has found a flaw that allows for a remote code execution during the installation of ACAP applications on the Axis device. The application handling service in AXIS OS was vulnerable to command injection allowing an attacker to run arbitrary code. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Command Injection

AXIS OS VAPIX overlay_del.cgi Path Traversal File Deletion
CVE-2023-21415 8.1 - High - October 16, 2023

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Directory traversal

CVE-2023-21404: Static RSA Key in Axis OS 11.0.x11.3.x Legacy LUA
CVE-2023-21404 5.3 - Medium - May 08, 2023

AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to compromise the device or any customer data.

Missing Encryption of Sensitive Data

User controlled parameters related to SMTP notifications are not correctly validated
CVE-2021-31986 6.8 - Medium - October 05, 2021

User controlled parameters related to SMTP notifications are not correctly validated. This can lead to a buffer overflow resulting in crashes and data leakage.

Memory Corruption

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.
CVE-2021-31987 7.5 - High - October 05, 2021

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.
CVE-2021-31988 8.8 - High - October 05, 2021

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.

Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Axis Os or by Axis? Click the Watch button to subscribe.

Axis
Vendor

Axis Os
Product

Axis Os

Don't miss out!

By the Year

Recent Axis Os Security Vulnerabilities

Axis OS VAPIX API dynamicOverlay CGI Command Injection CVE-2024-47259 - March 04, 2025

Axis VAPIX param.cgi Race Condition Enables Web UI DoS CVE-2024-47262 - March 04, 2025

Axis OS VAPIX ftptest.cgi Command Injection via unsanitized input CVE-2024-8160 - November 26, 2024

Axis AXIS OS Ethernet Frame Crash Vulnerability CVE-2024-47257 - November 26, 2024

Axis OS Broken Access Control: Operator Exploits Privilege Escalation CVE-2024-6979 - September 10, 2024

Axis OS VAPIX Path Traversal via ledlimit.cgi (CVE-2024-0067) CVE-2024-0067 - September 10, 2024

Axis OS VAPIX alwaysmulti.cgi File Globbing Exhaustion CVE-2024-6509 - September 10, 2024

Axis OS O3C Feature Exposes Sensitive Traffic CVE-2024-0066 - June 18, 2024

Axis OS VAPIX CGI Resource Exhaustion via File Globbing CVE-2024-0054 - March 19, 2024

Axis OS VAPIX create_overlay.cgi RCE via insufficient input validation CVE-2023-5800 8.8 - High - February 05, 2024

Axis OS Secure Boot Bypass via Device Tampering (CVE-2023-5553) CVE-2023-5553 6.8 - Medium - November 21, 2023

Axis VAPIX API DoS via dynamicoverlay.cgi after Auth CVE-2023-21416 6.5 - Medium - November 21, 2023

Axis VAPIX manageoverlayimage.cgi Path Traversal Enables Deletion CVE-2023-21417 7.1 - High - November 21, 2023

AXIS OS VAPIX irissetup.cgi Path Traversal Deletion CVE-2023-21418 7.1 - High - November 21, 2023

Axis OS ACAP App Install Remote Code Execution via Command Injection CVE-2023-21413 7.2 - High - October 16, 2023

AXIS OS VAPIX overlay_del.cgi Path Traversal File Deletion CVE-2023-21415 8.1 - High - October 16, 2023

CVE-2023-21404: Static RSA Key in Axis OS 11.0.x11.3.x Legacy LUA CVE-2023-21404 5.3 - Medium - May 08, 2023

User controlled parameters related to SMTP notifications are not correctly validated CVE-2021-31986 6.8 - Medium - October 05, 2021

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients. CVE-2021-31987 7.5 - High - October 05, 2021

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email. CVE-2021-31988 8.8 - High - October 05, 2021

Stay on top of Security Vulnerabilities

Axis Vendor

Axis OsProduct

Axis OS VAPIX API dynamicOverlay CGI Command Injection
CVE-2024-47259 - March 04, 2025

Axis VAPIX param.cgi Race Condition Enables Web UI DoS
CVE-2024-47262 - March 04, 2025

Axis OS VAPIX ftptest.cgi Command Injection via unsanitized input
CVE-2024-8160 - November 26, 2024

Axis AXIS OS Ethernet Frame Crash Vulnerability
CVE-2024-47257 - November 26, 2024

Axis OS Broken Access Control: Operator Exploits Privilege Escalation
CVE-2024-6979 - September 10, 2024

Axis OS VAPIX Path Traversal via ledlimit.cgi (CVE-2024-0067)
CVE-2024-0067 - September 10, 2024

Axis OS VAPIX alwaysmulti.cgi File Globbing Exhaustion
CVE-2024-6509 - September 10, 2024

Axis OS O3C Feature Exposes Sensitive Traffic
CVE-2024-0066 - June 18, 2024

Axis OS VAPIX CGI Resource Exhaustion via File Globbing
CVE-2024-0054 - March 19, 2024

Axis OS VAPIX create_overlay.cgi RCE via insufficient input validation
CVE-2023-5800 8.8 - High - February 05, 2024

Axis OS Secure Boot Bypass via Device Tampering (CVE-2023-5553)
CVE-2023-5553 6.8 - Medium - November 21, 2023

Axis VAPIX API DoS via dynamicoverlay.cgi after Auth
CVE-2023-21416 6.5 - Medium - November 21, 2023

Axis VAPIX manageoverlayimage.cgi Path Traversal Enables Deletion
CVE-2023-21417 7.1 - High - November 21, 2023

AXIS OS VAPIX irissetup.cgi Path Traversal Deletion
CVE-2023-21418 7.1 - High - November 21, 2023

Axis OS ACAP App Install Remote Code Execution via Command Injection
CVE-2023-21413 7.2 - High - October 16, 2023

AXIS OS VAPIX overlay_del.cgi Path Traversal File Deletion
CVE-2023-21415 8.1 - High - October 16, 2023

CVE-2023-21404: Static RSA Key in Axis OS 11.0.x11.3.x Legacy LUA
CVE-2023-21404 5.3 - Medium - May 08, 2023

User controlled parameters related to SMTP notifications are not correctly validated
CVE-2021-31986 6.8 - Medium - October 05, 2021

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients.
CVE-2021-31987 7.5 - High - October 05, 2021

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.
CVE-2021-31988 8.8 - High - October 05, 2021

Axis
Vendor

Axis Os
Product