Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which causes a denial of service (crash). The crash arises from code inside libdbus-send.so shared object or similar.

There was a Memory Corruption issue discovered in multiple models of Axis IP Cameras which allows remote attackers to cause a denial of service (crash) by sending a crafted command which will result in a code path that calls the UND undefined ARM instruction.

An issue was discovered in multiple models of Axis IP Cameras. There is Shell Command Injection.

An issue was discovered in multiple models of Axis IP Cameras. There is a bypass of access control.

An issue was discovered in multiple models of Axis IP Cameras. There is an Incorrect Size Calculation.

An issue was discovered in the httpd process in multiple models of Axis IP Cameras. There is Memory Corruption.

An issue was discovered in multiple models of Axis IP Cameras. There is an Exposed Insecure Interface.