CVE-2024-47259

LOW

AXIS OS 11.11.0-12.2.51 & <11.11.126 - Unauthenticated Command Injection via VAPIX API

Title source: llm

Description

Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

References (1)

Core 1

Core References

Vendor Advisory

https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pdf-en-US-466882.pdf

Scores

CVSS v3 3.5

EPSS 0.0054

EPSS Percentile 41.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (2)

axis/axis_os 11.11.0 - 12.2.52

axis/axis_os_2024 < 11.11.126

Published Mar 04, 2025

Tracked Since Feb 18, 2026