Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.
AnalysisAI
Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, authenticated user with lower privileges to escalate to administrator-level access. Discovered during a penetration test by Truesec, this flaw affects Axis network devices and cameras utilizing the vulnerable VAPIX framework. With a CVSS score of 8.8 and local attack vector, the vulnerability poses significant risk to organizations deploying Axis devices in multi-user or untrusted environments, though it requires prior authentication and local access to exploit.
Technical ContextAI
VAPIX (Versatile Application Program Interface for Axis devices) is Axis Communications' proprietary API framework used for device configuration and management across their network camera and appliance product lines. The vulnerability resides in the Device Configuration component of this framework and is classified under CWE-269 (Improper Access Control), indicating insufficient validation or enforcement of privilege boundaries within the configuration module. The flaw allows a principal with lower privilege level (PR:L) to perform actions restricted to administrator roles through the VAPIX interface, suggesting insufficient authorization checks or privilege boundary enforcement in the API logic. Affected CPE identifiers would include products such as Axis network cameras (AXIS P series, AXIS Q series) and video management appliances that implement VAPIX configuration services, though specific version ranges require vendor advisories for precise identification.
RemediationAI
Immediate remediation requires patching Axis device firmware to versions that address the VAPIX Device Configuration privilege escalation. Specific remediation steps: (1) Identify all Axis devices in the environment and their current firmware versions; (2) Consult Axis Communications security advisories and release notes for patched firmware versions addressing CVE-2025-0358; (3) Plan and execute firmware updates following Axis's recommended upgrade procedures (typically via device management interface or centralized management tools); (4) Test patched devices in non-production environments first to ensure compatibility. Interim mitigations pending patching: (a) Restrict local/network access to VAPIX configuration interfaces to authorized administrative users only; (b) Disable remote VAPIX configuration if not required; (c) Implement strong authentication and access controls for any accounts with device access; (d) Monitor for unauthorized configuration changes through device audit logs; (e) Segment Axis devices on dedicated VLANs with restricted access policies. Workarounds are limited due to the authentication requirement; prevention of unauthorized local/network access to devices is the primary interim control. Axis Communications' official advisories and patches should be sourced from their security portal or direct communication with their support team.
Privilege escalation in Axis VAPIX framework.
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b
GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t
NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications. Rated medium seve
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16620