CVE-2025-11142
📋 TL;DR
CVE-2025-11142 is an OS command injection vulnerability in Axis camera VAPIX API's mediaclip.cgi endpoint that allows authenticated attackers with operator or administrator privileges to execute arbitrary commands on affected devices. This affects Axis network cameras and video encoders with vulnerable firmware versions. Attackers must first authenticate with privileged credentials before exploiting this flaw.
💻 Affected Systems
- Axis network cameras
- Axis video encoders
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attackers to execute arbitrary commands, install malware, pivot to internal networks, or disrupt camera operations.
Likely Case
Attackers with stolen or compromised credentials gain persistent access to cameras, potentially disabling surveillance or exfiltrating video feeds.
If Mitigated
Limited impact due to strong credential management, network segmentation, and proper access controls preventing unauthorized authentication.
🎯 Exploit Status
Exploitation requires valid credentials but the command injection itself is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions released after 2025-01-15
Vendor Advisory: https://www.axis.com/dam/public/18/0e/90/cve-2025-11142pdf-en-US-519291.pdf
Restart Required: Yes
Instructions:
1. Download latest firmware from Axis support portal. 2. Backup camera configuration. 3. Upload firmware via web interface. 4. Apply update. 5. Reboot device. 6. Restore configuration if needed.
🔧 Temporary Workarounds
Disable VAPIX API
allDisable the vulnerable mediaclip.cgi endpoint by turning off VAPIX API access
Navigate to System > Options > Advanced > Plain Config > Enable VAPIX API: No
Restrict Network Access
linuxLimit access to VAPIX API endpoints using firewall rules
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement strict credential management with strong passwords and multi-factor authentication
- Segment camera networks from critical infrastructure using VLANs or firewalls
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System > Support > System OverviewCheck Version:
curl -u admin:password http://camera-ip/axis-cgi/admin/param.cgi?action=list&group=Properties.Firmware.VersionVerify Fix Applied:
Verify firmware version is 2025-01-15 or later and test mediaclip.cgi endpoint with sanitized input📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Multiple failed authentication attempts followed by mediaclip.cgi access
Network Indicators:
- Unusual outbound connections from cameras
- Traffic to mediaclip.cgi with suspicious parameters
SIEM Query:
source="axis-camera" AND (uri="*mediaclip.cgi*" AND (param="*;*" OR param="*|*" OR param="*`*"))