Axis Communication Multiple Products Remote Code Execution (CVE-2023-5677)

high Tenable OT Security Plugin ID 501964


The remote OT asset is affected by a vulnerability.


Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

This plugin only works with Tenable.ot.
Please visit for more information.


Refer to the vendor advisory.

See Also

Plugin Details

Severity: High

ID: 501964

Version: 1.5

Type: remote

Family: Tenable.ot

Published: 2/12/2024

Updated: 6/18/2024

Supported Sensors: Tenable OT Security

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-5677


Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:axis:m3024-lve_firmware, cpe:/o:axis:m3025-ve_firmware, cpe:/o:axis:m7014_firmware, cpe:/o:axis:m7016_firmware, cpe:/o:axis:p1214-e_firmware, cpe:/o:axis:p7214_firmware, cpe:/o:axis:p7216_firmware, cpe:/o:axis:q7401_firmware, cpe:/o:axis:q7404_firmware, cpe:/o:axis:q7424-r_mk_ii_firmware, cpe:/o:axis:q7414_firmware, cpe:/o:axis:m3024-l_firmware

Required KB Items: Tenable.ot/AxisCommunication

Exploit Ease: No known exploits are available

Patch Publication Date: 2/5/2024

Vulnerability Publication Date: 2/5/2024

Reference Information

CVE: CVE-2023-5677

CWE: 94