search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Various Axis products allow unauthorized remote privileged access

Vulnerability Note VU#799060

Original Release Date: 2003-06-05 | Last Revised: 2003-06-05


A vulnerability in various Axis Communications products may allow unauthorized remote privileged access.


Axis Communications Inc. produces network-enabled cameras and video servers. The company describes itself as "an innovative market leader in network video and print servers. Axis' products and solutions are focused on applications such as security surveillance, remote monitoring and document management."

A crafted URL sent to an affected device may allow a remote attacker to take a number of privileged actions, essentially gaining superuser access. For further details, please see the Core Security Technologies Advisory.


Quoting from the Core Security Technologies Advisory:
Using this vulnerability, an attacker can reset the root password, then enable the telnet server by modifying configuration files, giving the attacker interactive access to a Unix like command line, allowing her to execute arbitrary commands as root.


Apply a vendor-supplied firmware upgrade.

Vendor Information


Axis Communications Inc. Affected

Updated:  June 05, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


While we have been unable to find a statement from the vendor, it appears that each of the firmware upgrades includes the following statement:

    Some security issues in the web server have been solved.
For example, please see .

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was discovered by Juliano Rizzo of Core Security Technologies.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2003-0240
Severity Metric: 15.00
Date Public: 2003-05-27
Date First Published: 2003-06-05
Date Last Updated: 2003-06-05 15:10 UTC
Document Revision: 20

Sponsored by CISA.