Description
A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis device using SSH.
Published: 2026-05-12
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A configuration file on the local file system had improper input validation that could allow execution of arbitrary code. The flaw permits an attacker to inject code that runs with the privileges of the device, potentially leading to a full compromise of the system. The weakness is classified as CWE-732, relating to improper permission assignments or access controls.

Affected Systems

Axis Communications AB’s AXIS OS is affected. No specific version numbers are listed in the publicly available data, so any installation of AXIS OS that uses the relevant configuration file could be vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been observed in widespread exploitation. Exploitation requires an attacker to first log in to the device via SSH, implying that only users with privileged SSH access can exploit the flaw. Given these conditions, the risk is moderate but not negligible.

Generated by OpenCVE AI on May 12, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest firmware update from Axis Communications that addresses the configuration file input validation flaw.
  • Limit SSH access to only trusted IP addresses or disable SSH service when it is not required.
  • Enforce key‑based authentication and disable password logins for SSH to reduce credential compromise.
  • Ensure that configuration files are owned by the system user and have permissions that prevent modification by unprivileged processes.
  • Periodically review device logs for any unauthorized configuration changes or unexpected SSH activity.

Generated by OpenCVE AI on May 12, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Axis
Axis axis Os
CPEs cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*
Vendors & Products Axis
Axis axis Os

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Improper Input Validation in Configuration File Allows Code Execution on Axis OS
First Time appeared Axis Communications Ab
Axis Communications Ab axis Os
Vendors & Products Axis Communications Ab
Axis Communications Ab axis Os

Tue, 12 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis device using SSH.
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Axis Axis Os
Axis Communications Ab Axis Os
cve-icon MITRE

Status: PUBLISHED

Assigner: Axis

Published:

Updated: 2026-05-13T03:57:48.852Z

Reserved: 2026-01-19T13:10:24.354Z

Link: CVE-2026-1185

cve-icon Vulnrichment

Updated: 2026-05-12T13:05:15.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T07:16:09.720

Modified: 2026-05-19T16:07:33.100

Link: CVE-2026-1185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T07:30:10Z

Weaknesses