Axis ACAP Applications Privilege Escalation Vulnerability

A vulnerability exists in Axis devices running AXIS OS versions 12.0.0 through 12.6.68, allowing a malicious ACAP application to access admin-level service account credentials of legitimate ACAP applications. This access could lead to privilege escalation for the malicious application. The vulnerability can be exploited only if the device is set to allow unsigned ACAP applications and if the victim is persuaded to install the malicious application.

Impact

Exploitation of this vulnerability could allow a malicious ACAP application to escalate privileges by accessing admin-level service account credentials, potentially leading to unauthorized actions or access within the application or device.

Remediation

Axis has released a patch for this vulnerability in AXIS OS Active Track 12.6.69. For devices not included in this track but still under support, patches will be provided according to the planned maintenance and release schedule. Users are advised to update their Axis device software to the latest version available.