Security Advisories

About

The purpose of this registry is to proactively raise awareness and communicate about vulnerabilities that have been analyzed for Axis products and services. 

  • Axis and OpenSource vulnerabilities are listed below with CVE IDs (CVE = Common Vulnerabilities and Exposures).

  • Axis vulnerabilities were previously listed with ACV IDs (ACV = Axis Critical Vulnerability), which changed when Axis was approved as a CVE Numbering Authority (CNA) in April 2021.

Please contact Axis Technical Support in case you have found a CVE that was reported to be present in AXIS OS and is not registered below.

For more information about Axis work with cybersecurity, see Cybersecurity resources.

Axis CVEs

The Axis registry covers vulnerabilities that are specific to Axis products and services. We strongly recommend to update affected devices and services.

Analytics

CVE 2023

CVE numberCVSS severityPatched in versionSecurity advisory / Vulnerability summary
CVE-2023-214127.2 (High)2.8.4Axis Security Advisory - AXIS License Plate Verifier: User provided input is not sanitized on the “search.cgi” allowing for SQL injections.
CVE-2023-214117.2 (High)2.8.4Axis Security Advisory - AXIS License Plate Verifier: User provided input is not sanitized in the “Settings > Access Control” configuration interface allowing for arbitrary code execution.
CVE-2023-214107.2 (High)2.8.4Axis Security Advisory - AXIS License Plate Verifier: User provided input is not sanitized on the AXIS License Plate Verifier specific “api.cgi” allowing for arbitrary code execution.
CVE-2023-214098.4 (High)2.8.4Axis Security Advisory - AXIS License Plate Verifier: Due to insufficient file permissions, unprivileged users could gain access to unencrypted administrator credentials allowing the configuration of the application.
CVE-2023-214088.4 (High)2.8.4Axis Security Advisory - AXIS License Plate Verifier: Due to insufficient file permissions, unprivileged users could gain access to unencrypted user credentials that are used in the integration interface towards 3rd party systems.
CVE-2023-214078.8 (High)2.8.4Axis Security Advisory - AXIS License Plate Verifier: A broken access control was found allowing for privileged escalation of the operator account to gain administrator privileges.

AXIS Camera Station Pro

CVE 2024

CVE numberCVSS severityPatched in versionSecurity advisory / Vulnerability summary
CVE-2024-76966.3 (Medium)6.5This CVE will be externally disclosed on 9th January 2025, more detailed information will follow at that time.
CVE-2024-68314.4 (Medium)6.4Axis Security Advisory - It was possible to edit and/or remove views without the necessary permission due to a client-side-only check.
CVE-2024-67496.3 (Medium)6.4Axis Security Advisory - The Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client. If Incident report is not being used with credentials configured this flaw does not apply.
CVE-2024-64764.2 (Medium)6.4Axis Security Advisory - It was possible for a non-admin user to gain system privileges by redirecting a file deletion upon service restart.

AXIS Device Manager

CVE 2021

CVE numberCVSS severityPatched in versionSecurity advisory / Vulnerability summary
CVE-2021-319895.3 (Medium)

5.17.065

Axis Security Advisory - A user with permission to log on to the machine hosting the AXIS Device Manager client could under certain conditions extract a memory dump from the built-in Windows Task Manager application. The memory dump may potentially contain credentials of connected Axis devices.

AXIS OS

CVE 2024

CVE numberCVSS severityPatched in versionSecurity advisory / Vulnerability summary
CVE-2024-472577.5 (High)6.50.5.19Axis Security Advisory - Selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network.
CVE-2024-87724.3 (Medium)12.1.60
11.11.124
10.12.262
9.80.85
Axis Security Advisory - The VAPIX API managedoverlayimages.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device.
CVE-2024-81603.8 (Low)12.1.60
11.11.116
10.12.257
Axis Security Advisory - The VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files from/to the Axis device.
CVE-2024-77846.1 (Medium)12.0.91
11.11.109
10.12.252
Axis Security Advisory - Device tampering (commonly known as Secure Boot) in AXIS OS was vulnerable to a sophisticated attack to bypass this protection.
This patch will enforce a downgrade restriction. For more information please review the security advisory.
CVE-2024-69796.8 (Medium)12.0.91
11.11.109
Axis Security Advisory - A broken access control was discovered which could lead to less-privileged operator- and/or viewer accounts having more privileges than designed. 
CVE-2024-65096.5 (Medium)12.0.91
11.11.109
10.12.252
9.80.78
8.40.59
Axis Security Advisory - The VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device.
CVE-2024-61736.5 (Medium)11.11.73
10.12.252
9.80.78
8.40.59
Axis Security Advisory - A Guard Tour VAPIX API parameter allowed the use of arbitrary values allowing for an attacker to block access to the guard tour configuration page in the web interface of the Axis device.
CVE-2024-00674.3 (Medium)11.11.73
10.12.252
9.80.78
8.40.59
Axis Security Advisory - The VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device. 
CVE-2024-00665.3 (Medium)11.10.61
10.12.236
9.80.69
8.40.48
6.50.5.18
5.51.7.8
Axis Security Advisory - A O3C feature may expose sensitive traffic between the client (Axis device) and (O3C) server. If O3C is not being used this flaw does not apply. 
CVE-2024-00556.5 (Medium)11.9.60
10.12.228
Axis Security Advisory - The VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack.
CVE-2024-00546.5 (Medium)11.9.60
10.12.228
9.80.66
8.40.43
Axis Security Advisory - The VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. 

CVE 2023

CVE numberCVSS severityPatched in versionSecurity advisory / Vulnerability summary
CVE-2023-229846.1 (Medium)N/AThis CVE has been rejected as it is out-of-scope in accordance with our vulnerability management policy. Please follow our general Security Advisory about CSRF and XSS attacks on how to mitigate these type of vulnerabilities.
CVE-2023-214187.1 (High)11.7.57
10.12.213
9.80.49
8.40.37
6.50.5.15
Axis Security Advisory - The VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. 
CVE-2023-214177.1 (High)11.7.57
10.12.208
9.80.49
Axis Security Advisory - The VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion.
CVE-2023-214167.1 (High)11.7.57
10.12.213
Axis Security Advisory - The VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device.
CVE-2023-214156.5 (Medium)11.6.94
10.12.208
9.80.47
8.40.35
6.50.5.14
Axis Security Advisory - The VAPIX API overlay_del.cgi was vulnerable to path traversal attacks that allows for file deletion.
CVE-2023-214147.1 (High)11.6.94
10.12.208
Axis Security Advisory - Device tampering (commonly known as Secure Boot) in AXIS OS was vulnerable to a sophisticated attack to bypass this protection. This patch will enforce a downgrade restriction. For more information please review the secure advisory.
CVE-2023-214139.1 (Critical)11.6.94
10.12.199
Axis Security Advisory - The application handling service in AXIS OS was vulnerable to command injection allowing an attacker to run arbitrary code.
CVE-2023-214067.1 (High)1.65.5Axis Security Advisory - A heap-based buffer overflow was found in the pacsiod process which is handling the OSDP communication allowing to write outside of the allocated buffer. By appending invalid data to an OSDP message it was possible to write data beyond the heap allocated buffer. The data written outside the buffer could be used to execute arbitrary code.
CVE-2023-214056.5 (Medium)11.7.12.2
11.5.54
10.12.200.1
10.12.182
1.65.5
Axis Security Advisory - When communicating over OSDP, a flaw was found that the OSDP message parser crashes the pacsiod process, causing a temporary unavailability of the door-controlling functionalities meaning that doors cannot be opened or closed.
CVE-2023-214044.1 (Medium)11.4.52Axis Security Advisory - A static RSA key was used to encrypt Axis-specific source code in legacy LUA-components. The encryption was applied to avoid non sensitive Axis- specific code from being easily human readable.
CVE-2023-58005.4 (Medium)11.8.61
10.12.221
9.80.55
8.40.43
6.50.5.16
Axis Security Advisory - The VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution.
CVE-2023-56776.3 (Medium)5.51.7.7Axis Security Advisory - The VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution.
CVE-2023-55537.6 (High)11.7.57
10.12.213
Axis Security Advisory - Device tampering (commonly known as Secure Boot) in AXIS OS was vulnerable to a sophisticated attack to bypass this protection. This patch will enforce a downgrade restriction. For more information please review the secure advisory.

CVE 2021-2000

CVE numberPatchedSecurity advisory / Vulnerability summary
CVE-2021-31988YesAxis Security Advisory
CVE-2021-31987YesAxis Security Advisory
CVE-2021-31986YesAxis Security Advisory
CVE-2018-10664YesAxis Security Advisory
CVE-2018-10663YesAxis Security Advisory
CVE-2018-10662YesAxis Security Advisory
CVE-2018-10661YesAxis Security Advisory
CVE-2018-10660YesAxis Security Advisory
CVE-2018-10659YesAxis Security Advisory
CVE-2018-10658YesAxis Security Advisory
CVE-2018-9158Yes
CVE-2018-9157NoDisputed. This is an intended feature/functionality.
CVE-2018-9156NoDisputed. This is an intended feature/functionality.
CVE-2018-10664YesAxis Security Advisory
CVE-2018-10663YesAxis Security Advisory
CVE-2018-10662YesAxis Security Advisory
CVE-2018-10661YesAxis Security Advisory
CVE-2018-10660YesAxis Security Advisory
CVE-2018-10659YesAxis Security Advisory
CVE-2018-10658YesAxis Security Advisory
CVE-2018-9158Yes
CVE-2018-9157NoDisputed. This is an intended feature/functionality.
CVE-2018-9156NoDisputed. This is an intended feature/functionality.
CVE-2018-10664YesAxis Security Advisory
CVE-2018-10663YesAxis Security Advisory
CVE-2018-10662YesAxis Security Advisory
CVE-2018-10661YesAxis Security Advisory
CVE-2018-10660YesAxis Security Advisory
CVE-2018-10659YesAxis Security Advisory
CVE-2018-10658YesAxis Security Advisory
CVE-2018-9158Yes
CVE-2018-9157NoDisputed. This is an intended feature/functionality.
CVE-2018-9156NoDisputed. This is an intended feature/functionality.
CVE-2017-20050NoThis CVE has been rejected as we are lacking information on how to reproduce this vulnerability.
CVE-2017-20049YesAxis Security Advisory
CVE-2017-20048NoThis CVE has been rejected as it is out-of-scope in accordance with our vulnerability management policy.
CVE-2017-20047NoThis CVE has been rejected as it is out-of-scope in accordance with our vulnerability management policy.
CVE-2017-20046NoThis CVE has been rejected as it is out-of-scope in accordance with our vulnerability management policy
CVE-2017-15885Yes
CVE-2017-12413Yes
CVE-2016-AXIS-0812Yes
CVE-2015-8258YesAxis Security Advisory
CVE-2015-8257YesAxis Security Advisory
CVE-2015-8256YesAxis Security Advisory
CVE-2015-8255YesAxis Security Advisory
CVE-2013-3543YesThe vulnerability has been patched to affected AMC (AXIS Media Control) in AMC 6.3.8.0.
CVE-2008-5260YesThe vulnerability has been patched to affected products.
CVE-2007-5214YesThe vulnerability has been patched to affected products.
CVE-2007-5213Yes
CVE-2007-5212Yes
CVE-2007-4930Yes
CVE-2007-4929Yes
CVE-2007-4928Yes
CVE-2007-4927Yes
CVE-2007-4926Yes
CVE-2007-2239Yes
CVE-2004-2427Yes
CVE-2004-2426Yes
CVE-2004-2425Yes
CVE-2004-0789 Yes
CVE-2003-1386Yes
CVE-2003-0240Yes
CVE-2001-1543Yes
CVE-2000-0191Yes
CVE-2000-0144Yes

ACV

Miscellaneous

CVE 2022

CVE numberCVSS severityPatched in versionSecurity advisory / Vulnerability summary
CVE-2022-234107.8 (High)4.18.0Axis Security Advisory - AXIS IP Utility allowed for remote code execution and local privilege escalation by the means of DLL hijacking.

OpenSource CVEs

The OpenSource registry covers potential threats caused by 3rd party vulnerabilities of OpenSource components that are used in Axis products.

Severity rating
Since 2024, we have started adding the severity level to the table below. Note that it is only added for new CVE's.

Please note that the severity ratings provided for each CVE are based on calculations and assessments made by the respective open source providers. These ratings are not specific to Axis devices and do not necessarily reflect the severity of these vulnerabilities in the context of Axis products. The severity ratings provided here are intended to give a general indication of the potential impact as determined by the broader security community. If a CVSS rating is unavailable at www.cve.org, we refer to the National Vulnerability Database (NVD) for the necessary information when available.

AXIS OS

CVE 2024

CVE numberCVSS severityAffectedSecurity advisory / Vulnerability summary
CVE-2024-408987.5 (High)NoAXIS OS devices do not run the Windows version of Apache.
CVE-2024-407255.3 (Medium)NoAXIS OS devices do not utilize the affected function.
CVE-2024-39884NoAXIS OS devices do not utilize the affected function.
CVE-2024-395737.5 (High)YesThe vulnerability is patched by upgrading to Apache version 2.4.60.
CVE-2024-384777.5 (High)YesThe vulnerability is patched by upgrading to Apache version 2.4.60.
CVE-2024-384769.8 (Critical)YesThe vulnerability is patched by upgrading to Apache version 2.4.60.
CVE-2024-38475YesThe vulnerability is patched by upgrading to Apache version 2.4.60.
CVE-2024-384749.8 (Critical)YesThe vulnerability is patched by upgrading to Apache version 2.4.60.
CVE-2024-38473YesThe vulnerability is patched by upgrading to Apache version 2.4.60.
CVE-2024-38472NoAXIS OS devices do not run the Windows version of Apache.
CVE-2024-36387YesThe vulnerability is patched by upgrading to Apache version 2.4.60.
CVE-2024-28960NoAXIS OS Z-Wave device does not use Mbed TLS.
CVE-2024-28836NoAXIS OS Z-Wave device does not use Mbed TLS.
CVE-2024-28755NoAXIS OS Z-Wave device does not use Mbed TLS.
CVE-2024-273167.5 (High)YesThe vulnerability is patched by upgrading to Apache version 2.4.59.
CVE-2024-268987.8 (High)NoAXIS OS devices do not use this ATA over Ethernet driver.
CVE-2024-24795YesThe vulnerability is patched by upgrading to Apache version 2.4.59.
CVE-2024-237757.5 (High)NoAXIS OS Z-Wave device does not use Mbed TLS.
CVE-2024-237447.5 (High)NoAXIS OS Z-Wave device does not use Mbed TLS.
CVE-2024-231705.5 (Medium)NoAXIS OS Z-Wave device does not use Mbed TLS.
CVE-2024-224728.1 (High)NoAXIS OS Z-Wave devices do not use the affected module.
CVE-2024-96816.5 (Medium)YesThe vulnerability is patched by upgrading to cURL version 8.11.0.
CVE-2024-9143NoAXIS OS devices do not use "exotic" curves as referred to in the OpenSSL advisory.
CVE-2024-89579.1 (Critical)NoAXIS OS devices do not use the affected opensource packages and implementations.
CVE-2024-89567.2 (High)NoAXIS OS devices do not use the affected opensource packages and implementations.
CVE-2024-72646.5 (Medium)NoAXIS OS devices do not use the affected TLS backend.
CVE-2024-63878.1 (High)YesThe vulnerability is patched by upgrading to OpenSSH version 9.8.
CVE-2024-55356.5 (Medium)YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1za (AXIS OS 6.50, LTS 2018/2020/2022) and OpenSSL version 3.0.15 (LTS 2024/active track).
CVE-2024-309410 (Critical)NoAXIS OS devices are running a different XZ Utils version which is not affected.
CVE-2024-30527.5 (High)NoAXIS OS Z-Wave devices use a later version that is not affected.
CVE-2024-2466NoAXIS OS devices do not use mbedTLS.
CVE-2024-2398 8.6 (High)YesThe vulnerability is patched by upgrading to cURL version 8.7.1.
CVE-2024-2379 NoAXIS OS devices do not use wolfSSL.
CVE-2024-2004 3.5 (Low)YesThe vulnerability is patched by upgrading to cURL version 8.7.1.

CVE 2023

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2023-51395NoAXIS OS Z-Wave devices are running as controllers, not end devices.
CVE-2023-48795YesThe vulnerability is patched by upgrading to OpenSSH version 9.6.
CVE-2023-46446NoAXIS OS devices do not include AsyncSSH.
CVE-2023-46445NoAXIS OS devices do not include AsyncSSH.
CVE-2023-46219YesThe vulnerability is patched by upgrading to cURL version 8.5.0.
CVE-2023-46218YesThe vulnerability is patched by upgrading to cURL version 8.5.0.
CVE-2023-45802YesThe vulnerability is patched by upgrading to Apache version 2.4.58.
CVE-2023-45199NoAXIS OS Z-Wave devices do not use MBED TLS.
CVE-2023-44487NoAXIS OS devices use the affected library in a different, non-vulnerable way.
CVE-2023-43622YesThe vulnerability is patched by upgrading to Apache version 2.4.58.
CVE-2023-38709YesThe vulnerability is patched by upgrading to Apache version 2.4.59.
CVE-2023-38546YesThe vulnerability is patched by upgrading to cURL version 8.4.0. 
CVE-2023-38545YesThe vulnerability is patched by upgrading to cURL version 8.4.0. 
CVE-2023-38408NoAXIS OS devices do not include the ssh-agent of OpenSSH.
CVE-2023-32001YesThe vulnerability ispatched by upgrading to cURL version 8.0.1.
CVE–2023–31122NoAXIS OS devices do not use the mod_macro module.
CVE-2023-28322YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-28321YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-28320YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-28319YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-27538 YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-27537YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-27536YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-27535YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-27534 YesThe vulnerability is patched by upgrading to cURL version 8.0.1.
CVE-2023-27533 NocURL’s GSS functionality is not used on AXIS OS devices.
CVE-2023-27522NoAXIS OS devices do not use the mod_proxy_uwsgi module.
CVE-2023-26083NoAXIS OS devices do not use this GPU Kernel driver.
CVE-2023-25690YesThe vulnerability is patched by upgrading to Apache version 2.4.56.
CVE-2023-25136YesAXIS OS devices are running a different OpenSSH version which is not affected.
CVE-2023-23916YesThe vulnerability is patched by upgrading to cURL version 7.88.1.
CVE-2023-23915NoAXIS OS devices are running a different cURL version which is not affected.
CVE-2023-23914NoAXIS OS devices are running a different cURL version which is not affected.
CVE-2023-6246YesOnly AXIS OS 11 active track is affected. The vulnerability is patched by upgrading to glibc version 2.39.
Other AXIS OS LTS tracks are not affected as root-privileges are already available to the user when logging in through SSH console.
CVE-2023-5678YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1x (AXIS OS 6.50, LTS 2018/2020/2022) & OpenSSL version 3.0.13 on active track.
CVE-2023-4807NoAXIS OS devices do not use Windows XMM registers.
CVE-2023-4211NoAXIS OS devices do not use this GPU Kernel driver.
CVE-2023-3817 YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1v.
CVE-2023-3446 YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1v.
CVE-2023-2588NoAXIS OS devices do not have the affected function enabled.
CVE-2023-1018 No Through testing, the vulnerability cannot be exploited in TPM modules used by Axis devices.
CVE-2023-1017 NoThrough testing, the vulnerability cannot be exploited in TPM modules used by Axis devices.
CVE-2023-0466NoAXIS OS devices do not utilize non-default certificate policy validation
CVE-2023-0465NoAXIS OS devices do not utilize non-default certificate policy validation
CVE-2023-0464NoAXIS OS devices do not utilize non-default certificate policy validation
CVE-2023-0401NoAXIS OS devices are running a different OpenSSL track which is not affected.
CVE-2023-0286 YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1t.
CVE-2023-0217NoAXIS OS devices are running a different OpenSSL track which is not affected.
CVE-2023-0216NoAXIS OS devices are running a different OpenSSL track which is not affected.
CVE-2023-0215YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1t.

CVE 2022

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2022-46152YesThe vulnerability is patched on the AXIS OS active track and LTS 2022. Updating is recommended.
CVE-2022-43552NoHTTP proxy tunnel functionality is not enabled on AXIS OS devices.
CVE-2022-43551NocURL’s HSTS functionality is not enabled on AXIS OS devices.
CVE-2022-42916YesThe vulnerability is patched by upgrading to cURL version 7.86.0.
CVE-2022-42915YesThe vulnerability is patched by upgrading to cURL version 7.86.0.
CVE-2022-42889NoAXIS OS devices do not use the affected Apache Commons software package.
CVE-2022-42012NoWhile AXIS OS devices use some of the affected functions,
all of these vulnerabilities require root access to be exploited and when root access is gained, full control over the device is already established.
CVE-2022-42011NoWhile AXIS OS devices use some of the affected functions,
all of these vulnerabilities require root access to be exploited and when root access is gained, full control over the device is already established.
CVE-2022-42010NoWhile AXIS OS devices use some of the affected functions, all of these vulnerabilities require root access
to be exploited and when root access is gained, full control over the device is already established.
CVE-2022-38181NoAXIS OS devices do not use this GPU Kernel driver.
CVE-2022-37436YesThe vulnerability is patched by upgrading to Apache version 2.4.55.
CVE-2022-36760NoAXIS OS devices do not use the mod_proxy_ajp module.
CVE-2022-35260YesThe vulnerability is patched by upgrading to cURL version 7.86.0.
CVE-2022-35252NoAXIS OS devices do not use the cookie-engine of cURL.
CVE-2022-32221YesThe vulnerability is patched by upgrading to cURL version 7.86.0.
CVE-2022-32208NoAXIS OS devices do not have Kerberos enabled.
CVE-2022-32207YesThe vulnerability is patched by upgrading to cURL version 7.84.0.
CVE-2022-32206YesThe vulnerability is patched by upgrading to cURL version 7.84.0.
CVE-2022-32205YesThe vulnerability is patched by upgrading to cURL version 7.84.0.
CVE-2022-31813NoAXIS OS devices do not utilize IP based authentication.
CVE-2022-30556NoAXIS OS devices do not use the mod_lua module.
CVE-2022-30522NoAXIS OS devices do not use the mod_sed module.
CVE-2022-30295YesAffects AXIS P7701 Video Decoder.
Other Axis devices that are running the latest AXIS OS LTS or active version do not use the uClibc or uClibc-ng library.
We are currently awaiting the availability of an upstream patch to be available to judge if we can provide a service release that patches this vulnerability.
CVE-2022-30115No
CVE-2022-29404NoAXIS OS devices do not use the mod_lua module.
CVE-2022-28861YesThis vulnerability applies to Citilog software, not a vulnerability in AXIS OS itself.
CVE-2022-28860YesThis vulnerability applies to Citilog software, not a vulnerability in AXIS OS itself.
CVE-2022-28615NoAXIS OS devices do not use the ap_strcmp_match() function.
CVE-2022-28614NoAXIS OS devices do not use the ap_rwrite() function.
CVE-2022-28330NoAXIS OS devices do not use the mod_isapi module.
CVE-2022-27782YesThe vulnerability is patched by upgrading to cURL 7.83.1.
CVE-2022-27781YesThe vulnerability is patched by upgrading to cURL 7.83.1.
CVE-2022-27780No
CVE-2022-27779No
CVE-2022-27778No
CVE-2022-27776YesThe vulnerability is patched in a timely manner on the AXIS OS active track and the LTS tracks.
CVE-2022-27775YesThe vulnerability is patched in a timely manner on the AXIS OS active track and the LTS tracks.
CVE-2022-27774YesThe vulnerability is patched in a timely manner on the AXIS OS active track and the LTS tracks.
CVE-2022-26377NoAXIS OS devices do not use the mod_proxy_ajp module.
CVE-2022-22965NoNot affected as JDK, Spring Cloud function and/or Apache Tomcat are not used.
CVE-2022-22963NoNot affected as JDK, Spring Cloud function and/or Apache Tomcat are not used.
CVE-2022-23943NoAXIS OS devices do not use the mod_sed module.
CVE-2022-22721NoWhile AXIS OS devices use the core module, the command LimitXMLRequestBody is unused.
CVE-2022-22720YesThe vulnerability is patched by upgrading to Apache version 2.4.53.
CVE-2022-22719NoAXIS OS devices do not use the mod_lua module.
CVE-2022-22706No
CVE-2022-4450 Yes The vulnerability is patched by upgrading to OpenSSL version 1.1.1t.
CVE-2022-4304YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1t.
CVE-2022-4203NoAXIS OS devices are running a different OpenSSL track which is not affected.
CVE-2022-3786No AXIS OS devices are running a different OpenSSL track which is not affected.
CVE-2022-3602NoAXIS OS devices are running a different OpenSSL track which is not affected.
CVE-2022-2586YesAll Axis products with Linux Kernel version 4.14 and onwards are affected by this vulnerability.
Axis deems the severity of these vulnerabilities as low as it requires the attacker to be authenticated.
Only after successful authentication can this vulnerability be exploited (=local exploit).
We will provide patches for the Linux Kernel LTS versions that are affected in a timely manner.
CVE-2022-2585YesAll Axis products with Linux Kernel version 4.14 and onwards are affected by this vulnerability.
We are awaiting upstream patches for the Linux Kernel LTS versions that are affected.
The vulnerability is patched already for all Axis products with Linux Kernel version 5.15 and higher
and has been patched for a number of products on Linux Kernel version 4.19.
Axis deems the severity of these vulnerabilities as low as it requires the attacker to be authenticated.
Only after successful authentication can this vulnerability be exploited (=local exploit).
We will provide patches for the Linux Kernel LTS versions that are affected in a timely manner.
CVE-2022-2274NoAXIS OS devices are running a different OpenSSL track which is not affected.
CVE-2022-2097No AXIS OS devices do not use an x86 architecture.
CVE-2022-2068NoAXIS OS devices do not use the c_rehash script.
CVE-2022-1292No AXIS OS devices do not use the c_rehash script.
CVE-2022-0847NoThe affected Linux Kernel 5.8 is not used, AXIS OS devices utilizes lower versions of Linux Kernel on Linux Long-Term releases.
CVE-2022-0778YesThe vulnerability is patched by upgrading to OpenSSL version 1.1.1n.
CVE-2022-0336NoThis vulnerability is exploitable when Active Directory (AD/ADFS) services are used,
which is a functionality that is not supported in AXIS OS devices.

CVE 2021

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2021-44790NoAXIS OS devices do not use the mod_lua module.
CVE-2021-44228 NoAXIS OS products only use the vanilla Apache webserver
and not Apache Log4j, which is vulnerable.
A general statement for the Axis portfolio can be found here.
CVE-2021-44224YesThe vulnerability is patched by upgrading to Apache version 2.4.52.
CVE-2021-43523YesAffects AXIS P7701 Video Decoder.
Other Axis devices that are running the latest AXIS OS LTS or active version do not use the uClibc or uClibc-ng library.
We are currently awaiting the availability of an upstream patch to be available to judgeif we can provide a service release that patches this vulnerability.
CVE-2021-42013  No
CVE-2021-41773  No
CVE-2021-41617  NoNot affected since the AXIS OS configuration for SSH
doesn't include AuthorizedKeysCommand or AuthorizedPrincipalsCommand in its default configuration.
CVE-2021-41524  No
CVE-2021-40438  YesThe vulnerability is patched in AXIS OS active track and the LTS tracks
CVE-2021-40146  No
CVE-2021-39275  YesThe vulnerability is patched in AXIS OS active track and the LTS tracks
CVE-2021-36260 No
CVE-2021-36160  No
CVE-2021-34798  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks.
CVE-2021-33910YesThe vulnerability has been patched. Updating is recommended.
CVE-2021-33558NoThe affected 3rd party component backup.html,
preview.html, js/log.js, log.html, email.html, online-users.html, and config.js

are not used in Axis products below version 5.70 that utilize the BOA webserver.
Axis products with 5.70 and higher utilize the Apache webserver where these vulnerabilities do not apply as the BOA webserver has been removed.
CVE-2021-33193  YesAffects AXIS OS 10.1 - 10.7. The vulnerability has been patched. Updating is recommended.
CVE-2021-32934  No
CVE-2021-31618  No
CVE-2021-31618  No
CVE-2021-31618  YesAffects AXIS OS 10.1 - 10.6. Has been patched in AXIS OS 10.7.
CVE-2021-30641  No
CVE-2021-29462YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks.
CVE-2021-29256NoAXIS OS devices do not use this GPU Kernel driver.
CVE-2021-28664NoAXIS OS devices do not use this GPU Kernel driver.
CVE-2021-28663NoAXIS OS devices do not use this GPU Kernel driver.
CVE-2021-28372NoNot affected since AXIS OS doesn’t utilize the ThroughTek (TUTK) TCP/IP stack application.
CVE-2021-27365NoAXIS OS devices do not utilize ISCSI functionality.
CVE-2021-27219  YesThe vulnerability has been patched on the LTS tracks.
CVE-2021-27218  YesThe vulnerability has been patched on the LTS tracks.
CVE-2021-26691  No
CVE-2021-26690  No
CVE-2021-25677  No
CVE-2021-23841  No
CVE-2021-23840  No The vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2021-23839  No
CVE-2021-22947  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks.
CVE-2021-22946  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks.
CVE-2021-22945  No
CVE-2021-22901  No
CVE-2021-22898  No
CVE-2021-22897  No
CVE-2021-22890  NoThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2021-22876  No
CVE-2021-21727  No
CVE-2021-4160YesThe vulnerability is patched by upgrading to OpenSSL 1.1.1m.
CVE-2021-4104  NoAXIS OS products only use the vanilla Apache webserver and
not Apache Log4j, which is vulnerable.
A general statement for the Axis portfolio can be found here.
CVE-2021-4034NoNot affected since the Polkit's (PolicyKit) pkexec component is not used.
CVE-2021-4032NoNot affected since x86-computing architecture platform is not used in AXIS OS products.
AXIS OS products utilize MIPS- and ARM-based computing architecture instead.
CVE-2021-3712  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2021-3658  YesAffects AXIS OS 8.40 LTS and 9.80 LTS. The vulnerability has been patched on the LTS tracks.
CVE-2021-3450  No
CVE-2021-3449  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.

CVE 2020

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2020-35452  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2020-27738  No
CVE-2020-27737  No
CVE-2020-27736  No
CVE-2020-27009  No
CVE-2020-26558  YesAffects Axis body worn solution and Axis wireless cameras.
The vulnerability has been patched on the AXIS OS active track and the LTS tracks.
CVE-2020-25112  No
CVE-2020-25111  No
CVE-2020-25110  No
CVE-2020-25109  No
CVE-2020-25108  No
CVE-2020-25107  No
CVE-2020-25066  No
CVE-2020-24383  No
CVE-2020-24341  No
CVE-2020-24340  No
CVE-2020-24339  No
CVE-2020-24338  No
CVE-2020-24337  No
CVE-2020-24336  No
CVE-2020-24335  No
CVE-2020-24334  No
CVE-2020-17470  No
CVE-2020-17469  No
CVE-2020-17468  No
CVE-2020-17467  No
CVE-2020-17445  No
CVE-2020-17444  No
CVE-2020-17443  No
CVE-2020-17442  No
CVE-2020-17441  No
CVE-2020-17440  No
CVE-2020-17439  No
CVE-2020-17438  No
CVE-2020-17437  No
CVE-2020-17049NoThis vulnerability is exploitable when Microsoft Kerberos services are used,
which is a functionality that is not supported in AXIS OS devices.
CVE-2020-15795  No
CVE-2020-14871  No
CVE-2020-13988  No
CVE-2020-13987  No
CVE-2020-13986  No
CVE-2020-13985  No
CVE-2020-13984  No
CVE-2020-13950  Yes The vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2020-13938  No
CVE-2020-13848  YesConcerned customers can temporarily disable the parameter Network.UPnP.Enabled
in Plain config to mitigate this. The vulnerability has been patched on the AXIS OS active track and the LTS tracks.
CVE-2020-12695  No
CVE-2020-11993  No
CVE-2020-11984  No
CVE-2020-11899  No
CVE-2020-11898  No
CVE-2020-11897  No
CVE-2020-11896  No
CVE-2020-11023NoAxis deems the severity and impact of this vulnerability as low as it requires the attacker
to be authenticated and no known exploits are available to negatively affect the Axis product.
CVE-2020-11022NoAxis deems the severity and impact of this vulnerability as low as it requires the attacker
to be authenticated and no known exploits are available to negatively affect the Axis product.
CVE-2020-10713  No
CVE-2020-9770  YesAffects Axis body worn and wireless devices and will be patched in a timely manner on the AXIS OS active track and the LTS tracks.
CVE-2020-9490  YesProducts with AXIS OS 10.0 or lower are not affected.
For newer AXIS OS versions, the vulnerability has been patched on the AXIS OS active track. Updating is recommended.
CVE-2020-9308YesAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access
to be exploited and when root access is gained, full control over the device is already established.
CVE-2020-7461  No
CVE-2020-3120  No
CVE-2020-3119  No
CVE-2020-3118  No
CVE-2020-3111  No
CVE-2020-3110  No
CVE-2020-1971  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2020-1967  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2020-1938  No
CVE-2020-1934  No
CVE-2020-1927  YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2020-1472NoThis vulnerability is exploited when the configuration property "server schannel" is enabled.
This is not supported in AXIS OS devices, instead default settings are used which are deemed secure.

CVE 2019

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2019-1000020NoAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access
to be exploited and when root access is gained, full control over the device is already established.
CVE-2019-1000019NoAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access
to be exploited and when root access is gained, full control over the device is already established.
CVE-2019-19221NoAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access
to be exploited and when root access is gained, full control over the device is already established.
CVE-2019-17567  YesAffects Axis door stations/intercoms. The vulnerability has been patched. Updating is recommended.
CVE-2019-15916YesAffects LTS 2016. The vulnerability has been patched. Updating is recommended.
CVE-2019-12450  YesAffects LTS 2018 and LTS 2016. The vulnerability has been patched.
CVE-2019-11358YesAxis deems the severity and impact of this vulnerability as low as it requires the attacker
to be authenticated and no known exploits are available to negatively affect the Axis product.
CVE-2019-11135  No
CVE-2019-11091  No
CVE-2019-10744  No
CVE-2019-9517YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks. Updating is recommended.
CVE-2019-1563No
CVE-2019-1559No
CVE-2019-1551  No
CVE-2019-1547No
CVE-2019-1125  No

CVE 2018

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2018-1000880NoAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access to be exploited and when root access is gained, full control over the device is already established.
CVE-2018-1000879NoAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access to be exploited and when root access is gained, full control over the device is already established.
CVE-2018-1000878 NoAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access to be exploited and when root access is gained, full control over the device is already established.
CVE-2018-1000877 NoAXIS OS devices use a different (not affected) version of libarchive or affected functions require root access to be exploited and when root access is gained, full control over the device is already established.
CVE-2018-25032YesThe vulnerability has been patched on the AXIS OS active track and the LTS tracks.
CVE-2018-12207  No
CVE-2018-12130  No
CVE-2018-12127  No
CVE-2018-12126  No
CVE-2018-10938 NoAxis OS devices do not utilize CONFIG_NETLABEL set. Additionally, the vulnerability was fixed in 4.9.125 and AXIS OS devices uses 4.9.206.
CVE-2018-3646  No
CVE-2018-3639  No
CVE-2018-3620  No
CVE-2018-3615  No
CVE-2018-1285NoNot affected since Apache log4net is not used in AXIS OS.

CVE 2017

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2017-9833NoThe affected 3rd party component /cgi-bin/wapopen is not used in Axis products
below version 5.70 that utilize the BOA webserver.
Furthermore, input validation in our APIs are used which would prevent injections.
Axis products with 5.70 and higher utilize the Apache webserver where these vulnerabilities do not apply as the BOA webserver has been removed.
CVE-2017-5754  No
CVE-2017-5753  YesAxis has delivered patches to the affected products.
CVE-2017-5715  YesAxis has delivered patches to the affected products.

CVE 2016

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2016-20009  No
CVE-2016-8863  YesAxis has delivered patches to the affected products.
CVE-2016-7409  No
CVE-2016-7408  No
CVE-2016-7407  No
CVE-2016-7406  No
CVE-2016-6255  YesAxis has delivered patches to the affected products.
CVE-2016-2183  YesThe vulnerability has been patched on the active track and the LTS tracks.
CVE-2016-2147  YesAxis has delivered patches to the affected products.
CVE-2016-2148  YesAxis has delivered patches to the affected products.

CVE 2015

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2015-7547  YesAxis has delivered patches to the affected products.
CVE-2015-0235  YesAxis has delivered patches to the affected products.
CVE-2015-0204No

CVE 2014-1999

CVE numberAffectedSecurity advisory / Vulnerability summary
CVE-2014-6271  No
CVE-2014-3566  YesAxis has delivered patches to the affected products.
CVE-2014-0224  YesAxis has delivered patches to the affected products.
CVE-2014-0160  No
CVE-2013-0156NoAXIS OS devices do not use Ruby on Rails.
CVE-2011-3389No
CVE-2009-1955  No
CVE-2007-6750  No
CVE-2007-6514  No
CVE-2006-20001No AXIS OS devices do not use the mod_dav module.
CVE-2005-1797  No
CVE-2005-0088  No
CVE-2002-20001YesThis is a known limitation of asymmetric cryptography and is not considered relevant by Axis
since the web server in Axis devices supports only 20 concurrent connections at a time,
which renders the attack vector ineffective. It’s recommended to use symmetric cryptography instead when connecting to Axis devices.
CVE-2002-0185  No
CVE-1999-1412  No
CVE-1999-1237  No

Other vulnerabilities

This section covers vulnerabilities that are not classified as CVEs but have been investigated by Axis.

TitleDetails
ONVIF / WS Discovery DDoS AttacksStatement for ONVIF-capable devices vulnerable for DDoS exploit.
Cross-Site Request Forgery (CSRF)

Statement for Cross-Site Request Forgery in Axis products.

Exposed Axis products and their risks

Statement for exposed Axis products and their risks.