Brandon
Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi
did not have a sufficient input validation allowing for a possible remote code
execution. This flaw can only be exploited after authenticating with an
operator- or administrator-privileged service account. The impact of exploiting
this vulnerability is lower with operator-privileges compared to
administrator-privileges service accounts. Please refer to the Axis security advisory
for more information and solution.
Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi
did not have a sufficient input validation allowing for a possible remote code
execution. This flaw can only be exploited after authenticating with an
operator- or administrator-privileged service account. The impact of exploiting
this vulnerability is lower with operator-privileges compared to
administrator-privileges service accounts. Please refer to the Axis security advisory
for more information and solution.
Metrics
Affected Vendors & Products
References
History
Tue, 17 Jun 2025 22:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 15 May 2025 09:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Please refer to the Axis security advisory for more information and solution. |
Title | Insufficient input validation in VAPIX API tcptext.cgi | |
References |
|
Fri, 08 Nov 2024 08:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. |
Weaknesses | CWE-78 |

Status: PUBLISHED
Assigner: Axis
Published:
Updated: 2025-06-17T21:29:24.839Z
Reserved: 2023-10-20T07:48:06.861Z
Link: CVE-2023-5677

Updated: 2024-08-02T08:07:32.550Z

Status : Modified
Published: 2024-02-05T06:15:46.690
Modified: 2025-05-15T10:15:23.943
Link: CVE-2023-5677

No data.

No data.