Axis ACAP Command Injection Vulnerability Leading to Privilege Escalation

A vulnerability exists in Axis devices running AXIS OS versions 12.0.0 through 12.9.32, allowing for command injection via an ACAP configuration file that lacked proper input validation. This issue could lead to privilege escalation. Exploitation requires the device to be set up to permit the installation of unsigned ACAP applications. Additionally, an attacker must persuade the user to install a malicious ACAP application.

Impact

Exploitation of this vulnerability could result in unauthorized command execution on the device, potentially allowing an attacker to gain elevated privileges.

Remediation

Axis has released a patch for this vulnerability in AXIS OS version 12.9.33. For devices not included in this track but still under support, patches will be provided according to the planned maintenance and release schedule. Users are advised to update their Axis device software to the latest version available.