Command Injection Vulnerability in AXIS OS VAPIX API by Axis Communications
CVE-2024-47259

3.5LOW

Key Information:

Vendor: Axis Communications Ab
Status: Axis Os
Vendor: CVE Published:; 4 March 2025

What is CVE-2024-47259?

A command injection vulnerability exists in the VAPIX API's dynamicoverlay.cgi, identified by a lack of adequate input validation. This flaw can potentially allow an attacker to execute unauthorized commands and transfer files to the Axis device, ultimately overwhelming its system resources. Axis Communications has addressed this vulnerability in recent updates to AXIS OS, and users are urged to upgrade to the patched versions. For more detailed information, refer to the Axis security advisory.

Affected Version(s)

AXIS OS 11.11.0 < 11.11.126

AXIS OS 12.0.0 < 12.2.52

References

https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pd...

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 4, 2025
Vulnerability Reserved
Sep 23, 2024

Axis Communications Ab

What is CVE-2024-47259?

Affected Version(s)

References

CVSS V3.1

Timeline