During internal Axis Security Development Model (ASDM) assessments, a new vulnerability was found affecting all ARTPEC-8, i.MX8 QP, i.MX6 SX, i.MX6 ULL, i.MX8M Mini, and i.MX8M Nano UL-based products. A patch will be made available accordingly to patch the vulnerability with the upcoming releases of AXIS OS 12.0, AXIS OS 11.11 LTS, and AXIS OS 10.12 LTS in September. For security reasons, Axis will not provide more detailed information about the vulnerability other than the information mentioned in the security advisory upon its public disclosure on September 10, 2024.
The patch will enforce downgrade restrictions, meaning that the product can only be downgraded to the very latest version of the AXIS OS 11.11 LTS or AXIS OS 10.12 LTS track if the product has support for it. From then on, other older/intermediate AXIS OS versions will not be accepted by the product. Please visit the AXIS OS portal for the complete list of affected products.
The release notes of the patched AXIS OS 12.0, AXIS OS 11.11 LTS and AXIS OS 10.12 LTS will state the following:
“Addressed CVE-2024-7784. Note that downgrading the product to an older AXIS OS version other than the latest supported LTS 2024 (11.11.109) or LTS 2022 (10.12.2xx) release is not possible. For more information, please visit the Axis vulnerability management portal. Applies to: All products base on AXIS ARTPEC-8, I.MX 6SX, I.MX 6ULL, I.MX 8M-Mini, I.MX 8M-NANO and I.MX 8QP/M”
Axis provides a notification service for information about vulnerabilities and other security-related matters for Axis products.