CVE-2024-47259: Malicious File Upload
First published: Tue Mar 04 2025(Updated: )
Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Credit: product-security@axis.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| AXIS OS |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-47259?
CVE-2024-47259 has been categorized with a medium severity due to the potential for command injection affecting file transfers.
How do I fix CVE-2024-47259?
To fix CVE-2024-47259, ensure your Axis devices are updated to the latest firmware that addresses this vulnerability.
What systems are affected by CVE-2024-47259?
CVE-2024-47259 affects devices running Axis AXIS OS, particularly those utilizing the VAPIX API.
What type of attack is associated with CVE-2024-47259?
CVE-2024-47259 is associated with a command injection vulnerability that could lead to resource exhaustion on Axis devices.
Who discovered CVE-2024-47259?
CVE-2024-47259 was discovered by Girishunawane, a participant in the AXIS OS Bug Bounty Program.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/source
- agent/author
- agent/tags
- agent/event
- vendor/axis
- canonical/axis os