CVE-2024-47259 in AXIS
Summary
by MITRE • 03/04/2025
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/22/2026
The vulnerability identified as CVE-2024-47259 resides within the VAPIX API dynamicoverlay.cgi component of Axis network video devices running AXIS OS firmware. This flaw represents a critical security weakness that stems from inadequate input validation mechanisms within the web interface processing functionality. The issue specifically affects devices that utilize the Axis VAPIX API for remote management and configuration, creating a potential attack vector for malicious actors seeking to exploit the system through command injection techniques. The vulnerability was discovered through the AXIS OS Bug Bounty Program, demonstrating the importance of community-driven security research in identifying critical flaws before they can be exploited in the wild.
The technical implementation of this vulnerability allows for command injection attacks through the dynamicoverlay.cgi endpoint, which processes user-supplied parameters without proper sanitization or validation. This insufficient input validation creates a pathway for attackers to inject malicious commands that execute with the privileges of the web server process. The attack surface is particularly concerning as it enables remote file transfer capabilities, allowing adversaries to upload files to the Axis device and potentially exhaust system resources through resource-intensive operations. The vulnerability operates at the application layer and can be exploited through HTTP requests targeting the vulnerable API endpoint, making it accessible over the network without requiring physical access to the device.
The operational impact of this vulnerability extends beyond simple command execution, as it provides attackers with the ability to manipulate system resources and potentially compromise the entire device. The file transfer functionality combined with command injection creates a dangerous combination that could enable attackers to upload malicious payloads, modify system configurations, or exhaust memory and storage resources through resource exhaustion attacks. This vulnerability directly affects the availability and integrity of the Axis network video surveillance system, potentially allowing unauthorized users to disrupt services or gain persistent access to the device. The implications are particularly severe for security-sensitive environments where surveillance systems must maintain continuous operation and data integrity.
Security mitigations for CVE-2024-47259 should prioritize immediate firmware updates from Axis, as the vendor has already released patched AXIS OS versions addressing the specific input validation flaws. Organizations should implement network segmentation to limit access to affected devices, restrict API endpoint access through firewalls, and monitor network traffic for suspicious activity related to the dynamicoverlay.cgi endpoint. Additional defensive measures include implementing web application firewalls to detect and block malicious requests, conducting regular security assessments of network video equipment, and maintaining comprehensive inventory tracking of all connected devices. The vulnerability aligns with CWE-77 and CWE-94 categories related to command injection and improper input validation, and may be mapped to ATT&CK technique T1059.007 for command and scripting interpreter while also representing a resource exhaustion threat pattern consistent with ATT&CK technique T1499.004 for network denial of service.