Security for Axis products, software and services
Axis, as a CVE-numbering authority (CNA), follows industry best practices in managing and responding to security vulnerabilities in our products to minimize customers risk of exposure. Axis cannot guarantee that products and services are free from flaws that may be exploited for malicious attacks. Therefore we monitor known vulnerabilities referred to as CVE (Common Vulnerabilities and Exposure). CVEs that Axis identify as critical or caused by Axis will be prioritized and announced publicly.
Vulnerabilities in Axis products, software and services
In the case that you have discovered a new vulnerability in our product firmware, you are encouraged to submit your discovery via email to email@example.com. Sensitive content can be encrypted using our public PGP key. Note that Axis does not operate any bug bounty programs, however we credit the person responsible for the discovery. Please see the vulnerability managment policy that is linked on this page for further details about the vulnerability management process.
Vulnerabilities in Axis web services
Should your discovery pertain to an exploit or vulnerability related to the Axis web or related web services, please contact firstname.lastname@example.org. Note that Axis does not operate any bug bounty programs, however we credit the person responsible for the discovery.
Axis Security Notification Service
Subscribe to Axis Security Notification Service email to receive notifications about security advisories, vulnerabilities, update of policy related guidelines and other security related information in Axis products, software and services.
2022-05-05 Statement from Axis Communications on the uClibc DNS vulnerability discovered by Nozomi Networks (CVE-2021-43523, CVE-2022-30295). Axis has not incorporated the uClibc package since 2010 in Axis products, software and services. To date, no active selling or discontinued Axis product that is still under hardware or software support is therefore affected by this vulnerability except for the AXIS P7701 Video Decoder. We are currently awaiting the availability of an upstream patch to be available to judge if we can provide a service release that patches this vulnerability.
2022-05-04 Axis acknowledges the importance and hard work performed by independent researchers and companies and therefore lists outstanding contributors in our new Product Security Hall of Fame.
2022-03-16 The Axis Security Team has updated the vulnerability management policy for products, software and services aiming to provide a more detailed and comprehensive vulnerability management process. The Axis Security Notification Service will be used from now on to inform on regular bases not only about Axis vulnerabilities but also 3rd party open-source components such as Apache, OpenSSL and others used in Axis products, software and services.
2022-03-13 An updated version of the AXIS Security Development Model has been released adding new details involving Vulnerability Scanning, External Penetration Testing as well as tool-extension explanations for the threat-modelling process within R&D software development.
2022-03-09 Update (CVE-2022-23410). The security advisory published on 14th of February has been updated. The initial solution provided in Axis IP Utility 4.17.0 to solve CVE-2022-23410 was deemed incomplete, therefore a new version, Axis IP Utility 4.18.0, has been released to address this. This new flaw has been found by James Tsz Ko Yeung from Hong Kong.
2022-02-14 An external researcher has found a flaw (CVE-2022-23410) in AXIS IP Utility that allows for remote code execution and local privilege escalation by the means of DLL hijacking. The vulnerability has been found by SeungYun Lee from the Korea University in Sejong.
2021-12-16 Statement from Axis Communications on the Log4j2 vulnerability (CVE 2021-44228). The investigation into our exposure to the Log4j2 vulnerability is nearly complete and we have not found any vulnerable systems to date. Further details are available in the official statement.
2021-10-05 An external research team has found several flaws (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) in functionalities used within the built-in event-system of AXIS OS-capable devices. All vulnerabilities were found by Andrea Palanca from Nozomi Network Inc.
2021-08-23 An external research team has found a shortcoming in AXIS Device Manager's handling of device credentials stored in RAM, read the Axis Security Advisory for more information. The vulnerability was discovered by Ben Leonard-Lagarde and Freddie Sibley-Calder from Modux Limted.
2020-04-08 Axis Communications, has been approved as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA) for Axis products, authorizing our company to assign and publish CVE IDs to vulnerabilities in our products. Sebastian Hultqvist, Global Product Manager at Axis Communications commented, “Being recognised as a CNA is a testament to our ongoing work and underscores Axis’ vulnerability management and security best practices. Read the full press release here.
2020-07-31 An internal software security audit discovered a flaw in the protection against device tampering (known as Secure Boot) in AXIS W800 and AXIS S3008. Read the Axis Security Advisory for more information.
2020-06-22 Published Common remarks from security scanning tools to assist customers in making a risk analysis of the results from a security scanning.
2020-03-19 An internal software security audit discovered a flaw in the protection for device tampering (known as Secure Boot) in AXIS Q3527-LVE and AXIS A8207-VE MkII. Read the Axis Security Advisory for more information
2019-09-23 A researcher has discovered that ONVIF devices exposing WS Discovery (port 3207) to Internet are susceptible to be exploited for a Distributed Denial-Of-Service (DDOS) attack. Read Axis Security Advisory for more information.
Subscribe to Axis Security Advisory Notification email to receive notifications if a critical vulnerability would occur in Axis products and solutions. Click here to subscribe.
Advisories & Policies
- AXIS Product Security Hall of Fame
- AXIS Security Advisories
- AXIS Vulnerability Policy
- AXIS Security Notification Service
- AXIS Security Terminology & Concepts
Audit & CVE-Analysis
Development & Production
Subscribe to stay secure!
Get notified when we find vulnerabilities in Axis products and solutions.