Skip to main content

Axis Os CVE-2025-0359

HIGH
Incorrect Authorization (CWE-863)
2025-03-04 product-security@axis.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 04, 2025 - 06:15 nvd
HIGH 8.5

DescriptionCVE.org

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

AnalysisAI

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. Affected products include: Axis Axis Os, Axis Axis Os 2024.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2025-0324 CRITICAL
9.4 Jun 02

Privilege escalation in Axis VAPIX framework.

CVE-2025-0358 HIGH
8.8 Jun 02

Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, aut

CVE-2021-31988 HIGH
8.8 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the

CVE-2023-21415 HIGH
8.1 Oct 16

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa

CVE-2025-0360 HIGH
7.8 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi

CVE-2021-31987 HIGH
7.5 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b

CVE-2023-21413 HIGH
7.2 Oct 16

GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac

CVE-2025-11142 HIGH
7.1 Feb 10

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio

CVE-2023-21418 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat

CVE-2023-21417 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab

CVE-2023-5553 MEDIUM
6.8 Nov 21

During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t

CVE-2023-21414 MEDIUM
6.8 Oct 16

NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications. Rated medium seve

Share

CVE-2025-0359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy