Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
AnalysisAI
Command injection in Axis OS ACAP configuration file processing allows privilege escalation when unsigned ACAP applications are enabled and a user installs a malicious application. The vulnerability requires high-privileged user interaction and local access but bypasses normal code signing protections to achieve code execution with elevated privileges.
Technical ContextAI
ACAP (Axis Camera Application Platform) is Axis Communications' application framework for embedded devices. The vulnerability stems from insufficient input validation (CWE-1287: Improper Neutralization of Special Elements used in a Command) in how ACAP configuration files are parsed and processed. When an unsigned ACAP application is installed on a device configured to permit such installations, a malicious actor can inject shell commands into the configuration file. The Axis OS then executes these commands during ACAP initialization or operation, potentially with elevated privileges. The attack surface is limited by the requirement to disable code-signing verification and convince a high-privileged user to install the malicious application.
RemediationAI
Update Axis OS to the patched version specified by Axis Communications. The primary mitigation is to enforce the default security configuration: disable the installation of unsigned ACAP applications via device administration settings. This eliminates the attack vector entirely and should be the standard configuration except in controlled development environments. Organizations requiring unsigned ACAP capability should implement compensating controls including: restrict ACAP installation to authenticated administrators with multi-factor authentication, audit all ACAP installation activity, and perform security scanning of custom ACAP binaries before deployment. Consult the Axis advisory at https://www.axis.com/dam/public/67/b8/75/cve-2026-0802pdf-en-US-530731.pdf for the exact patched OS version and deployment instructions.
Privilege escalation in Axis VAPIX framework.
Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, aut
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b
GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29384
GHSA-v86x-m45w-rqrq