CVE-2024-6173
📋 TL;DR
This vulnerability in Axis devices allows attackers to block access to the guard tour configuration page via a VAPIX API parameter that accepts arbitrary values. It affects Axis devices running vulnerable AXIS OS versions. The impact is denial of service for guard tour configuration functionality.
💻 Affected Systems
- Axis devices with Guard Tour functionality
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for guard tour configuration functionality, preventing security personnel from managing guard tour schedules and routes.
Likely Case
Temporary disruption of guard tour configuration access requiring manual intervention or device reboot to restore functionality.
If Mitigated
Minimal impact if proper network segmentation and access controls prevent unauthorized API access.
🎯 Exploit Status
Exploitation requires access to the VAPIX API endpoint and knowledge of the vulnerable parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched AXIS OS versions as specified in Axis security advisory
Vendor Advisory: https://www.axis.com/dam/public/5a/87/a2/cve-2024-6173-en-US-458042.pdf
Restart Required: Yes
Instructions:
1. Download patched AXIS OS version from Axis website. 2. Backup device configuration. 3. Apply firmware update via web interface or Axis Device Manager. 4. Reboot device. 5. Verify update successful.
🔧 Temporary Workarounds
Restrict VAPIX API Access
allLimit network access to VAPIX API endpoints using firewall rules or network segmentation.
Disable Guard Tour Feature
allTemporarily disable Guard Tour functionality if not required.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Axis devices from untrusted networks
- Monitor VAPIX API access logs for suspicious parameter values and block offending IPs
🔍 How to Verify
Check if Vulnerable:
Check AXIS OS version against vulnerable versions listed in Axis advisory. Attempt to access guard tour configuration page while monitoring API calls.Check Version:
Check device web interface under System > Support > System Overview or use VAPIX API: http://[device-ip]/axis-cgi/admin/param.cgi?action=list&group=Properties.Firmware.VersionVerify Fix Applied:
Verify AXIS OS version is updated to patched version. Test guard tour configuration page accessibility and monitor for successful API responses.📡 Detection & Monitoring
Log Indicators:
- Unusual VAPIX API requests to guard tour endpoints
- Failed access attempts to guard tour configuration page
- Multiple parameter manipulation attempts
Network Indicators:
- HTTP requests to VAPIX API with abnormal parameter values
- Increased traffic to guard tour endpoints from unauthorized sources
SIEM Query:
source="axis_device" AND (uri_path="/axis-cgi/guard/*" OR uri_path="/guard/*") AND (param_value="*" OR status_code=500)