PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0802 Axis Communications AB CVE debrief

An ACAP configuration file in Axis OS lacked sufficient input validation, enabling command injection and potential privilege escalation. Exploitation requires the device to permit unsigned ACAP application installation and user installation of a malicious application.

Vendor
Axis Communications AB
Product
AXIS OS
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-19
Advisory published
2026-05-12
Advisory updated
2026-05-19

Who should care

Organizations deploying Axis network cameras or video encoders with ACAP application support enabled, particularly those in critical infrastructure, surveillance, or physical security environments where device integrity is essential.

Technical summary

The vulnerability exists in ACAP (Axis Camera Application Platform) configuration file processing, where insufficient input validation allows command injection. Attack vector is local with high privileges required, but successful exploitation yields high confidentiality and integrity impact. The attack chain requires: (1) device configured to allow unsigned ACAP applications, and (2) social engineering to install malicious ACAP package.

Defensive priority

medium

Recommended defensive actions

  • Restrict ACAP application installation to signed applications only via device configuration policies.
  • Upgrade Axis OS to version 12.9.33 or later where this vulnerability is remediated.
  • Audit installed ACAP applications and remove any unauthorized or unsigned packages.
  • Monitor device logs for anomalous command execution or privilege escalation indicators.

Evidence notes

CVE published 2026-05-12; modified 2026-05-19. Vendor advisory confirms affected versions and remediation. CVSS 3.1 vector: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N.

Official resources

2026-05-12