CVE-2024-0067
📋 TL;DR
This vulnerability in Axis devices allows attackers to perform path traversal attacks through the VAPIX API ledlimit.cgi endpoint, enabling them to list folder and file names on the local file system. This affects Axis devices running vulnerable versions of AXIS OS. The vulnerability was discovered through the Axis Bug Bounty Program.
💻 Affected Systems
- Axis devices with VAPIX API
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map the entire file system structure, potentially discovering sensitive configuration files, credentials, or other system information that could lead to further exploitation.
Likely Case
Information disclosure of file system structure, potentially revealing configuration details, log files, or other system information that could aid in reconnaissance for further attacks.
If Mitigated
Limited information disclosure with no access to file contents, only directory listings.
🎯 Exploit Status
Path traversal attacks typically require minimal technical skill. The vulnerability allows directory listing but not file reading or writing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched AXIS OS versions (specific versions in Axis advisory)
Vendor Advisory: https://www.axis.com/dam/public/c7/d0/91/cve-2024-0067-en-US-448994.pdf
Restart Required: Yes
Instructions:
1. Check current AXIS OS version. 2. Download patched version from Axis support portal. 3. Upload and install update via device web interface. 4. Reboot device after installation.
🔧 Temporary Workarounds
Disable VAPIX API
allDisable the VAPIX API if not required for device functionality
Network Access Control
allRestrict network access to Axis devices using firewall rules
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Axis devices from untrusted networks
- Deploy web application firewall (WAF) rules to block path traversal patterns
🔍 How to Verify
Check if Vulnerable:
Test if ledlimit.cgi endpoint accepts path traversal sequences (e.g., ../ patterns) and returns directory listingsCheck Version:
Check device web interface under System > Support > System Overview for AXIS OS versionVerify Fix Applied:
Verify patched version is installed and test that path traversal attempts no longer return directory listings📡 Detection & Monitoring
Log Indicators:
- HTTP requests to ledlimit.cgi with ../ patterns
- Unusual access patterns to VAPIX API endpoints
Network Indicators:
- HTTP requests containing path traversal sequences to Axis device IPs
- Multiple directory listing attempts
SIEM Query:
source="axis_device_logs" AND uri="*ledlimit.cgi*" AND (uri="*../*" OR uri="*..\\*" OR user_agent="*scanner*")