A vulnerability, which was classified as critical, was found in AXIS OS 5.51. Affected is some unknown processing of the file tcptest.cgi of the component VAPIX API. CWE is classifying the issue as CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

The weakness was shared 02/05/2024. The advisory is shared for download at axis.com. This vulnerability is traded as CVE-2023-5677 since 10/20/2023. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 02/25/2024). The MITRE ATT&CK project declares the attack technique as T1059.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The entries VDB-242211, VDB-245879, VDB-245883 and VDB-245884 are related to this item.

Productinfo

Vendor

• AXIS

Name

• OS

Version

• 5.51

License

• free

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion