Detections
Analytics

Axis Communications Network Cameras and Video Servers Authentication Bypass (CVE-2004-2426)

medium Tenable OT Security Plugin ID 502705

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Directory traversal vulnerability in Axis Network Camera 2.40 and earlier, and Video Server 3.12 and earlier, allows remote attackers to bypass authentication via a .. (dot dot) in an HTTP POST request to ServerManager.srv, then use these privileges to conduct other activities, such as modifying files using editcgi.cgi.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

http://www.securityfocus.com/bid/11011

http://securitytracker.com/id?1011056

http://secunia.com/advisories/12353

http://www.osvdb.org/9122

https://exchange.xforce.ibmcloud.com/vulnerabilities/17079

http://www.nessus.org/u?11b154e8

http://www.nessus.org/u?a7f67a8b

Plugin Details

Severity: Medium

ID: 502705

File Name: tenable_ot_axiscommunication_CVE-2004-2426.nasl

Version: 1.3

Type: remote

Family: Tenable.ot

Published: 11/29/2024

Updated: 3/5/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2004-2426

Vulnerability Information

CPE: cpe:/h:axis:230_mpeg2_video_server:3.11

Required KB Items: Tenable.ot/AxisCommunication

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/31/2004

Vulnerability Publication Date: 12/31/2004

Reference Information

CVE: CVE-2004-2426