Primary

Context

Axis Communications AXIS OS Unsigned ACAP Application Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Patched

A vulnerability in Axis Communications devices running AXIS OS versions 12.0.0 through 12.6.6 allows for arbitrary code execution via improperly validated ACAP configuration files. This issue arises when devices are set to permit the installation of unsigned ACAP applications. An attacker could exploit this vulnerability by persuading a user to install a malicious ACAP application.

Impact

Exploitation of this vulnerability could lead to unauthorized arbitrary code execution on the affected device.

Remediation

Axis has released a patch for this vulnerability in AXIS OS Active Track 12.6.7. Devices not included in this track but still under support will receive a patch according to their planned maintenance and release schedule. It is recommended to update to the latest Axis device software, available through the Axis vulnerability management portal.

Added: Nov 11, 2025, 7:18 AM

Updated: Nov 11, 2025, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

7.5

exploitability

4.6

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

7.5

exploitability

4.6

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Axis Communications AXIS OS Unsigned ACAP Application Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Axis AXIS OS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating