Skip to main content

Camera Station CVE-2025-30026

| EUVDEUVD-2025-21109 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2025-07-11 product-security@axis.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:51 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.58,6.9
EUVD ID Assigned
Mar 16, 2026 - 08:17 euvd
EUVD-2025-21109
Analysis Generated
Mar 16, 2026 - 08:17 vuln.today
CVE Published
Jul 11, 2025 - 06:15 nvd
CRITICAL 9.8

DescriptionCVE.org

The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required.

AnalysisAI

CVE-2025-30026 is a critical authentication bypass vulnerability in AXIS Camera Station Server that allows unauthenticated remote attackers to completely compromise the system without requiring valid credentials. The flaw has a CVSS score of 9.8 with a CVSS vector indicating network-accessible, low-complexity exploitation requiring no privileges or user interaction, enabling attackers to achieve full confidentiality, integrity, and availability compromise. This vulnerability affects the AXIS Camera Station Server product line and represents an immediate and severe threat requiring emergency patching.

Technical ContextAI

AXIS Camera Station Server is a centralized management and monitoring platform for Axis communications cameras and devices. The vulnerability stems from CWE-288 (Authentication Bypass Using an Alternate Path or Channel), indicating that the application fails to properly enforce authentication controls across all access pathways or entry points. Rather than a cryptographic weakness, this class of flaw typically involves logic errors where certain API endpoints, administrative functions, or protocol handlers bypass standard authentication checks. The affected software likely contains a network-accessible service (HTTP/HTTPS API, protocol handler, or management interface) that fails to validate user credentials before granting access to sensitive operations. This suggests the vulnerability may exist in web service endpoints, REST API handlers, or remote management protocols used by the Camera Station Server for device communication and administration.

RemediationAI

Immediate remediation steps: (1) Apply vendor-supplied security patches from Axis Communications as soon as released—this is a CVSS 9.8 emergency requiring prioritized patching within 24-48 hours; (2) Until patches are available, implement network-level isolation by restricting network access to AXIS Camera Station Server to only authorized administrative networks using firewall rules and network segmentation; (3) Monitor for unauthorized access attempts to the server through access logs and IDS/IPS signatures; (4) Disable remote management interfaces if not actively required; (5) Implement multi-factor authentication and role-based access controls at the network perimeter level as interim compensating controls. Recommended actions: Contact Axis Communications immediately through their security advisory channel for patch availability and timelines; check vendor security advisories at https://www.axis.com/en-us/support/axis-communications-security-advisory for official patch releases and CVE-specific mitigation guidance; deploy patches to all affected AXIS Camera Station Server instances immediately upon availability.

Share

CVE-2025-30026 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy