CVE-2025-11142

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.axis.com/dam/public/18/0e/90/cve-2025-11142pdf-en-US-519291.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*

History

No history.

Information

Published : 2026-02-10 06:15

Updated : 2026-02-28 00:09

NVD link : CVE-2025-11142

Mitre link : CVE-2025-11142

CVE.ORG link : CVE-2025-11142

JSON object : View

Products Affected

axis

axis_os

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-11142", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-security@axis.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-10T06:15:52.430", "references": [{"url": "https://www.axis.com/dam/public/18/0e/90/cve-2025-11142pdf-en-US-519291.pdf", "tags": ["Vendor Advisory"], "source": "product-security@axis.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "product-security@axis.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account."}, {"lang": "es", "value": "La API VAPIX mediaclip.cgi que no ten\u00eda una validaci\u00f3n de entrada suficiente permitiendo una posible ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad solo puede ser explotada despu\u00e9s de autenticarse con una cuenta de servicio con privilegios de operador o administrador."}], "lastModified": "2026-02-28T00:09:21.760", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*", "vulnerable": true, "matchCriteriaId": "11F77320-FE90-4D11-A24B-F3F5741E5387", "versionEndExcluding": "12.7.36", "versionStartIncluding": "12.6.54"}], "operator": "OR"}]}], "sourceIdentifier": "product-security@axis.com"}