Product Security

Overview

Axis follows industry best practices in managing and responding to security vulnerabilities in our products to minimize customers risk of exposure. Axis cannot guarantee that products and services are free from flaws that may be exploited for malicious attacks.

Contact information

Axis monitor known vulnerabilities referred to as CVE (Common Vulnerabilities and Exposure). Those that affect our products will be patched as part of regular firmware/software updates. CVEs that Axis identify as critical will be prioritized and often announced with a Security Advisory.

If you are concerned with a specific CVE that you believe may be present in the product's firmware:

  1. Check that you use the latest firmware/software for your product.  Latest version may include a patch.
  2. Check the list of published Security Advisories (below)
  3. Read the Common remarks from security scanning tools
  4. Contact Axis product support at https://www.axis.com/support

 

In the case that you have discovered a new vulnerability in our product firmware, you are encouraged to submit your discovery via email to product-security@axis.com. Sensitive content can be encrypted using our public PGP key.

Note: product-security@axis.com will only respond to unknown potential product vulnerabilities (i.e those for which there is not an already documented CVE).

Should your discovery pertain to an exploit or vulnerability related to the Axis web or related web services, please contact it-security@axis.com

Note that Axis does not operate any bug bounty programs, however we credit the person responsible for the discovery.

Secure device identification by Axis

Axis devices equipped with Axis Edge Vault are provisioned with Axis device ID. Axis device ID certificates conforms to 802.1AR and can be verified using the Axis device ID Root CA certificate. The Axis device ID Root CA can be used to verify Axis device ID identities manually, in device management tools or in an 802.1x authentication server.

Please remember to verify the download against the provided sha256 hash before using Axis device ID Root CA as a trust anchor.

INTEGRITY CHECKSUM

SHA256:
32ca2dc3230764f2d638b54d2826c050613266162932a2d7e766f81a51e3aa60

INTEGRITY CHECKSUM

SHA256:
fc1a8b0d6585dc74215bcc4e87e852af9258637062d0fc4c417554a6f1b5a85e

News update

2020-07-31 An internal software security audit discovered a flaw in the protection against device tampering (known as Secure Boot) in AXIS W800 and AXIS S3008. Read the Axis Security Advisory for more information.

2020-06-22 Published Common remarks from security scanning tools to assist customers in making a risk analysis of the results from a security scanning.

2020-03-19 An internal software security audit discovered a flaw in the protection for device tampering (known as Secure Boot) in AXIS Q3527-LVE and AXIS A8207-VE MkII. Read the Axis Security Advisory for more information

2019-09-23 A researcher has discovered that ONVIF devices exposing WS Discovery (port 3207) to Internet are susceptible to be exploited for a Distributed Denial-Of-Service (DDOS) attack.  Read Axis Security Advisory for more information.

 

Subscribe to Axis Security Advisory Notification email to receive notifications if a critical vulnerability would occur in Axis products and solutions. Click here to subscribe.

 

 

Subscribe to stay secure!

Get notified when we find vulnerabilities in Axis products and solutions.

Cybersecurity

We have 100% focus on cyber security, and we’re doing everything in our power to mitigate its risks.