CVE-2023-5677

Published: Feb 5, 2024Modified: May 15, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Please refer to the Axis security advisory for more information and solution.

Affected (11)

Products: Axis: M3024 Lve Firmware, M3025 Ve Firmware, M7014 Firmware, M7016 Firmware, P1214 E Firmware, P7214 Firmware, P7216 Firmware, Q7401 Firmware, Q7404 Firmware, Q7414 Firmware, Q7424 R Mk Ii Firmware

11 products

Q7424 R Mk Ii Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis M3024 Lve Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis M3024 Lve	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis M3025 Ve Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis M3025 Ve	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis M7014 Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis M7014	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis M7016 Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis M7016	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis P1214 E Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis P1214 E	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis P7214 Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis P7214	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis P7216 Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis P7216	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis Q7401 Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis Q7401	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis Q7404 Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis Q7404	All versions

Configuration J

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis Q7414 Firmware	Before 5.51.7.7

Running on/with	Platform Versions
Axis Q7414	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Axis Q7424 R Mk Ii Firmware	Before 5.51.3.9

Running on/with	Platform Versions
Axis Q7424 R Mk Ii	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://www.axis.com/dam/public/0a/47/d1/cve-2023-5677-en-US-483444.pdf

Source: product-security@axis.com

https://www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.