PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0541 Axis Communications AB CVE debrief

ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

Vendor
Axis Communications AB
Product
AXIS OS
CVSS
MEDIUM 6.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Organizations deploying Axis network cameras and video devices with ACAP application support enabled, particularly those in critical infrastructure, physical security, and surveillance environments where device integrity is essential.

Technical summary

CVE-2026-0541 is a privilege escalation vulnerability in Axis OS affecting ACAP (Axis Camera Application Platform) application installation. The flaw stems from improper input validation during the installation process, allowing malicious ACAP applications to gain elevated privileges. Exploitation requires the device to be configured to allow unsigned ACAP application installation and requires an attacker to convince a victim to install a malicious application. The vulnerability is rated CVSS 3.1 6.7 (Medium) with a vector of AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The weakness is classified as CWE-732 (Incorrect Permission Assignment for Critical Resource). Affected versions include Axis OS active from 12.0.0 through versions prior to 12.9.32.

Defensive priority

medium

Recommended defensive actions

  • Review Axis device configurations to ensure unsigned ACAP application installation is disabled unless explicitly required.
  • Upgrade Axis OS to version 12.9.32 or later to remediate this vulnerability.
  • Audit installed ACAP applications and remove any unauthorized or unverified packages.
  • Restrict administrative access to device management interfaces to reduce the risk of social engineering attacks convincing users to install malicious applications.
  • Monitor for anomalous privilege escalation activity on Axis devices, particularly related to ACAP application execution.

Evidence notes

Published by NVD on 2026-05-12; modified 2026-05-19. Vendor advisory issued by Axis [email protected]. CVSS 3.1 vector: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. CWE-732 (Incorrect Permission Assignment for Critical Resource). Affects Axis OS active versions from 12.0.0 up to (but not including) 12.9.32.

Official resources

2026-05-12