Axis VAPIX API Race Condition Vulnerability Leading to Denial-of-Service

A race condition vulnerability has been identified in the VAPIX API param.cgi on Axis devices running AXIS OS versions 6.50 through 12.2. This vulnerability allows an attacker to disrupt access to the device's web interface. Other API endpoints or services that do not utilize param.cgi are not affected. Axis has released patched versions for this flaw.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the web interface of the affected Axis device to become inaccessible.

Remediation

Axis has released patches for this vulnerability in the following AXIS OS versions: Active Track 12.3.4, LTS 2024 11.11.127, LTS 2022 10.12.270, LTS 2020 9.80.90, (Former LTS) 8.40.66, and (Former LTS) 6.50.5.19. For devices not included in these tracks but still under support, patches will be provided according to the planned maintenance and release schedule.