CVE-2023-5677

Brandon
Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi
did not have a sufficient input validation allowing for a possible remote code
execution. This flaw can only be exploited after authenticating with an
operator- or administrator-privileged service account. The impact of exploiting
this vulnerability is lower with operator-privileges compared to
administrator-privileges service accounts. Please refer to the Axis security advisory
for more information and solution.
OS Command Injection
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
AxisCNA
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
axism3024-lve_firmware
𝑥
< 5.51.7.7
axism3025-ve_firmware
𝑥
< 5.51.7.7
axism7014_firmware
𝑥
< 5.51.7.7
axism7016_firmware
𝑥
< 5.51.7.7
axisp1214-e_firmware
𝑥
< 5.51.7.7
axisp7214_firmware
𝑥
< 5.51.7.7
axisp7216_firmware
𝑥
< 5.51.7.7
axisq7401_firmware
𝑥
< 5.51.7.7
axisq7404_firmware
𝑥
< 5.51.7.7
axisq7414_firmware
𝑥
< 5.51.7.7
axisq7424-r_mk_ii_firmware
𝑥
< 5.51.3.9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.axis.com/dam/public/0a/47/d1/cve-2023-5677-en-US-483444.pdf
https://www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf