CVE-2024-47259

CVE-2024-47259 is a vulnerability in the VAPIX API's dynamicoverlay.cgi component of AXIS OS, stemming from insufficient input validation that enables command injection. This flaw allows attackers to transfer files to affected Axis devices, potentially exhausting system resources. The issue was identified by Girishunawane through the AXIS OS Bug Bounty Program and carries a CVSS v3.1 base score of 3.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N), mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Exploitation requires network access, high attack complexity, and low privileges (PR:L), with no user interaction needed but a changed scope (S:C). A successful attack enables limited integrity impact (I:L), such as uploading files via command injection to deplete resources on the device, though it does not affect confidentiality or availability per the CVSS vector.

Axis has released patched versions of AXIS OS to address this flaw. For detailed mitigation steps and affected products, refer to the official Axis security advisory at https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pdf-en-US-466882.pdf.