Skip to main content

Axis Os CVE-2025-0358

| EUVDEUVD-2025-16620 HIGH
Improper Privilege Management (CWE-269)
2025-06-02 product-security@axis.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:45 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
12.4.0
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16620
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
CVE Published
Jun 02, 2025 - 08:15 nvd
HIGH 8.8

DescriptionCVE.org

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.

AnalysisAI

Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, authenticated user with lower privileges to escalate to administrator-level access. Discovered during a penetration test by Truesec, this flaw affects Axis network devices and cameras utilizing the vulnerable VAPIX framework. With a CVSS score of 8.8 and local attack vector, the vulnerability poses significant risk to organizations deploying Axis devices in multi-user or untrusted environments, though it requires prior authentication and local access to exploit.

Technical ContextAI

VAPIX (Versatile Application Program Interface for Axis devices) is Axis Communications' proprietary API framework used for device configuration and management across their network camera and appliance product lines. The vulnerability resides in the Device Configuration component of this framework and is classified under CWE-269 (Improper Access Control), indicating insufficient validation or enforcement of privilege boundaries within the configuration module. The flaw allows a principal with lower privilege level (PR:L) to perform actions restricted to administrator roles through the VAPIX interface, suggesting insufficient authorization checks or privilege boundary enforcement in the API logic. Affected CPE identifiers would include products such as Axis network cameras (AXIS P series, AXIS Q series) and video management appliances that implement VAPIX configuration services, though specific version ranges require vendor advisories for precise identification.

RemediationAI

Immediate remediation requires patching Axis device firmware to versions that address the VAPIX Device Configuration privilege escalation. Specific remediation steps: (1) Identify all Axis devices in the environment and their current firmware versions; (2) Consult Axis Communications security advisories and release notes for patched firmware versions addressing CVE-2025-0358; (3) Plan and execute firmware updates following Axis's recommended upgrade procedures (typically via device management interface or centralized management tools); (4) Test patched devices in non-production environments first to ensure compatibility. Interim mitigations pending patching: (a) Restrict local/network access to VAPIX configuration interfaces to authorized administrative users only; (b) Disable remote VAPIX configuration if not required; (c) Implement strong authentication and access controls for any accounts with device access; (d) Monitor for unauthorized configuration changes through device audit logs; (e) Segment Axis devices on dedicated VLANs with restricted access policies. Workarounds are limited due to the authentication requirement; prevention of unauthorized local/network access to devices is the primary interim control. Axis Communications' official advisories and patches should be sourced from their security portal or direct communication with their support team.

CVE-2025-0324 CRITICAL
9.4 Jun 02

Privilege escalation in Axis VAPIX framework.

CVE-2021-31988 HIGH
8.8 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the

CVE-2025-0359 HIGH
8.5 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli

CVE-2023-21415 HIGH
8.1 Oct 16

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa

CVE-2025-0360 HIGH
7.8 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi

CVE-2021-31987 HIGH
7.5 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b

CVE-2023-21413 HIGH
7.2 Oct 16

GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac

CVE-2025-11142 HIGH
7.1 Feb 10

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio

CVE-2023-21418 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat

CVE-2023-21417 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab

CVE-2023-5553 MEDIUM
6.8 Nov 21

During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t

CVE-2023-21414 MEDIUM
6.8 Oct 16

NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications. Rated medium seve

Share

CVE-2025-0358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy