CVE-2023-5677

moderate-risk

Published 2024-02-05

Brandon Rothel from QED Secure Solutions and Sam Hanson of Dragos have found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Please refer to the Axis security advisory for more information and solution.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.3/10 Medium

NETWORK / LOW complexity

Affected Products (11)

M3024-Lve Firmware

M3025-Ve Firmware

M7014 Firmware

M7016 Firmware

P1214-E Firmware

P7214 Firmware

P7216 Firmware

Q7401 Firmware

Q7404 Firmware

Q7414 Firmware

Q7424-R Mk Ii Firmware

Affected Vendors

Axis

References (2)

https://www.axis.com/dam/public/0a/47/d1/cve-2023-5677-en-US-483444.pdf

Vendor Advisory https://www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf

/ 100

moderate-risk

Severity 23/34 · High

Exploitability 0/34 · Minimal

Exposure 16/34 · Moderate