Axis VAPIX API Audio Clip Upload Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the VAPIX API's mediaclip.cgi component, present in AXIS OS versions 9.80 prior to 12.2. This vulnerability arises from inadequate input validation, allowing users to upload more audio clips than intended, which can cause the device to exhaust its memory resources. The issue can be exploited by authenticated users with operator or administrator privileges.

Impact

Exploitation of this vulnerability can cause the Axis device to run out of memory, potentially leading to a denial-of-service condition where the device becomes unresponsive or fails to function properly.

Remediation

Axis has released patches for this vulnerability in the following AXIS OS versions: Active Track 12.3.1, LTS 2024 11.11.135, LTS 2022 10.12.270, and LTS 2020 9.80.89. For devices not included in these tracks but still under support, patches will be provided according to the planned maintenance and release schedule.