CVE-2023-5677: Insufficient input validation in VAPIX API tcptext.cgi
First published: Mon Feb 05 2024(Updated: )
Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Credit: product-security@axis.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Axis M3024-LVE Firmware | ||
| Axis M3024-LVE | <5.51.7.7 | |
| All of | ||
| Axis M3025-VE Firmware | ||
| Axis M3025-VE | <5.51.7.7 | |
| All of | ||
| Axis M7014 Firmware | ||
| Axis M7014 | <5.51.7.7 | |
| All of | ||
| Axis M7016 Firmware | ||
| Axis M7016 | <5.51.7.7 | |
| All of | ||
| Axis P1214 | ||
| Axis P1214 Firmware | <5.51.7.7 | |
| All of | ||
| Axis p7214 | ||
| Axis p7214 firmware | <5.51.7.7 | |
| All of | ||
| Axis p7216 | ||
| Axis p7216 firmware | <5.51.7.7 | |
| All of | ||
| Axis q7401 firmware | <5.51.7.7 | |
| Axis q7401 | ||
| All of | ||
| Axis q7404 firmware | <5.51.7.7 | |
| Axis q7404 | ||
| All of | ||
| Axis Q7414 Firmware | <5.51.7.7 | |
| Axis Q7414 Firmware | ||
| All of | ||
| Axis q7424-r mk ii firmware | <5.51.3.9 | |
| Axis q7424-r mk ii |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2023-5677?
CVE-2023-5677 is classified as a critical vulnerability due to the potential for remote code execution.
How do I fix CVE-2023-5677?
To fix CVE-2023-5677, ensure that the affected Axis firmware is updated to version 5.51.7.7 or later.
What devices are affected by CVE-2023-5677?
CVE-2023-5677 affects various Axis camera models, including M3024-LVE, M3025-VE, M7014, M7016, P1214, P7214, P7216, Q7401, Q7404, Q7414, and Q7424-R MK II.
What is the exploitability of CVE-2023-5677?
CVE-2023-5677 can be exploited only after gaining authentication with an operator or administrator privileges.
What impact does CVE-2023-5677 have?
Exploitation of CVE-2023-5677 could allow an attacker to execute arbitrary code on the affected Axis devices.
- agent/references
- agent/title
- agent/first-publish-date
- agent/type
- agent/author
- agent/severity
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/event
- agent/last-modified-date
- agent/description
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/axis
- canonical/axis m3024-lve firmware
- canonical/axis m3024-lve
- canonical/axis m3025-ve firmware
- canonical/axis m3025-ve
- canonical/axis m7014 firmware
- canonical/axis m7014
- canonical/axis m7016 firmware
- canonical/axis m7016
- canonical/axis p1214
- canonical/axis p1214 firmware
- canonical/axis p7214
- canonical/axis p7214 firmware
- canonical/axis p7216
- canonical/axis p7216 firmware
- canonical/axis q7401 firmware
- canonical/axis q7401
- canonical/axis q7404 firmware
- canonical/axis q7404
- canonical/axis q7414 firmware
- canonical/axis q7424-r mk ii firmware
- canonical/axis q7424-r mk ii