Axis Communications ACAP Path Traversal Vulnerability Leading to Privilege Escalation

A path traversal vulnerability allowing potential privilege escalation has been identified in Axis devices running AXIS OS versions 12.0.0 through 12.10.3. The issue arises from an ACAP configuration file that lacked proper input validation, which could be exploited if the device is set to allow the installation of unsigned ACAP applications. An attacker would need to persuade a victim to install a malicious ACAP application for exploitation to occur.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation on the affected device.

Remediation

Axis has released a patch for this vulnerability in AXIS OS Active Track 12.10.4. Devices not included in this track but still under support will receive a patch according to their planned maintenance and release schedule. It is recommended to update the device software to the latest version.