CVE-2024-47259

Low

Published: 04 March 2025

Published

04 March 2025

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 3.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

EPSS Score 0.0035 57.7th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47259 is a low-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Axis Axis Os. Its CVSS base score is 3.5 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates validation of inputs to the VAPIX API's dynamicoverlay.cgi to prevent command injection exploits.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and application of Axis OS patches to remediate the input validation flaw.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to limit the scope and impact of commands injected via the low-privilege (PR:L) API endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1105 Ingress Tool Transfer Command And Control

Adversaries may transfer tools or other files from an external system into a compromised environment.

attack.mitre.org →

Why these techniques?

Command injection in public-facing VAPIX API enables T1190 exploitation, Unix shell command execution (T1059.004), and file ingress/transfer (T1105) for resource impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device…

with the purpose to exhaust system resources. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Deeper analysisAI

CVE-2024-47259 is a vulnerability in the VAPIX API's dynamicoverlay.cgi component of AXIS OS, stemming from insufficient input validation that enables command injection. This flaw allows attackers to transfer files to affected Axis devices, potentially exhausting system resources. The issue was identified by Girishunawane through the AXIS OS Bug Bounty Program and carries a CVSS v3.1 base score of 3.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N), mapped to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Exploitation requires network access, high attack complexity, and low privileges (PR:L), with no user interaction needed but a changed scope (S:C). A successful attack enables limited integrity impact (I:L), such as uploading files via command injection to deplete resources on the device, though it does not affect confidentiality or availability per the CVSS vector.

Axis has released patched versions of AXIS OS to address this flaw. For detailed mitigation steps and affected products, refer to the official Axis security advisory at https://www.axis.com/dam/public/13/cd/4a/cve-2024-47259pdf-en-US-466882.pdf.