"IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft"

Researchers at Nozomi Networks labs have discovered three security vulnerabilities in Axis video products that could open up the door to a bevy of different cyberattacks on businesses.  Three vulnerabilities in the IP video-surveillance systems created by Axis Communications could allow arbitrary code execution, among other attacks.  The researchers examined the company’s Axis Companion Recorder, a compact network video recorder (NVR) that stores IP surveillance video coming from attached cameras (it can support up to eight at one time).  The researchers found that the three bugs (CVE-2021-31986, CVE-2021-31987, CVE-2021-31988) turn out to affect all Axis devices that run the company’s embedded Axis OS.  The bugs found include heap-based buffer overflow (CVE-2021-31986, CVSSv3 rating of 6.7), improper recipient validation in network test functionalities (CVE-2021-31987, CVSSv3 rating of 4.1), and SMTP header injection in email test functionality (CVE-2021-31988, CVSSv3 rating of 5.5).  Axis is in the process of releasing patches for all affected devices. 

Infosecurity reports: "IP Surveillance Bugs in Axis Gear Allow RCE, Data Theft"