Keanesec

**Name of the Vulnerable Software and Affected Versions** Axis (affected versions not specified) **Description** An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This issue is exploitable if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces a victim to install a malicious ACAP application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axis (affected versions not specified) **Description** A malicious ACAP application can obtain admin-level service account credentials utilized by legitimate ACAP applications, potentially allowing for privilege escalation of the malicious ACAP application. This is possible if the Axis device permits the installation of unsigned ACAP applications and an attacker successfully convinces a user to install a malicious ACAP application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axis ACAP Application framework (affected versions not specified) **Description** The ACAP Application framework may allow for privilege escalation through a symlink attack. Exploitation requires the Axis device to be configured to permit the installation of unsigned ACAP applications and for an attacker to convince a user to install a malicious ACAP application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axis Communications ACAP applications (affected versions not specified) **Description** ACAP applications may be able to gain elevated privileges due to improper input validation, which could lead to privilege escalation. This is only possible if the Axis device allows the installation of unsigned ACAP applications and an attacker convinces a user to install a malicious ACAP application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.