Axis VAPIX API Command Injection Vulnerability in dynamicoverlay.cgi Allowing Resource Exhaustion

A command injection vulnerability has been identified in the VAPIX API component dynamicoverlay.cgi, present in AXIS OS versions 11.11 prior to 12.1. This vulnerability arises from inadequate input validation, allowing authenticated users with operator or administrator privileges to upload files to the Axis device. The uploaded files can be used to deplete system resources, potentially leading to a denial of service. Axis has acknowledged this vulnerability and released patches for it.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can be used to exhaust system resources and disrupt normal device operation.

Remediation

Axis has released patches for this vulnerability in AXIS OS Active Track 12.2.52 and LTS 2024 11.11.126. For devices not included in these tracks but still under support, patches will be provided according to the planned maintenance and release schedule. It is recommended to update the Axis device software to the latest version.